https://bugs.exim.org/show_bug.cgi?id=2018
--- Comment #4 from Nenad Opsenica <[email protected]> --- Just to describe my setup: * haproxy to do "ssl passthrough" (i.e. running in TCP mode without SSL/TLS offloading) from clients to imap and smtp/submission servers * dovecot configuration, that uses this kind of setup works perfectly with both StartTLS IMAP (port 143) and IMAPS (port 993). Relevant configuration parts for TLS-on-connect case (port 993/imaps) HAproxy: listen imap bind :993 mode tcp option tcplog stick-table type ip size 200k expire 30m stick on src server mail2 mail2.local.net:10993 check-send-proxy send-proxy-v2 Dovecot: inet_listener imaps_haproxy { port = 10993 ssl = yes haproxy = yes } Similar setup with HAproxy and Exim for TLS-on-connect case (port 465) does not work: HAproxy: listen smtp bind :465 mode tcp option tcplog stick-table type ip size 200k expire 30m stick on src server mail2 mail2.local.net:465 check-send-proxy send-proxy-v2 Exim configuration: hosts_proxy = IP_address_of_HAproxy_server Exim is patched with fix for proxy-v2 from https://bugs.exim.org/show_bug.cgi?id=2003 When I changed function smtp_start_session() in smtp_in.c, to call check_proxy_protocol_host() first, and then tls_server_start(), proxied session was successfully detected (debug information showed IP address of end client), but unfortunatelly TLS session was not started; obviously this can't be fixed that 'easy' way. But, it shows that HAproxy, when used with "TLS/SSL passthrough" mode prepends unencrypted proxy header. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
