On 09/06/2020 12:28, Brent Clark via Exim-users wrote: > Where I work, we just inherited a series of third party out going spam > servers. > For various reason, we need to loadbalance but more importantly direct > traffic for when we need to perform maintenance on these servers. > > What we decided so use and do is put haproxy in front. > > The intended topology is: > [clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers]
You're serving spam? And why do your MTAs talk on 587 ? > On odd occasion we see the following error message(s) on the clients > MTAs. And the mail just sits in the queue. When we revert back, it all > flows. (Grammar grumble. "Revert" already implies a reversal. Adding "back" is redundant. Seems to be an Indian subcontinent habit, at my $work) > We cant figure it out, and why. > What we think is happening is. There is a cert miss match. And as a > result Exim just refuses to send or accept the mail. I don't think that conclusion holds... > gnutls_handshake was successful > TLS certificate verification failed (certificate invalid): > peerdn="CN=antispam6-REMOVED" > TLS verify failure overridden (host in tls_try_verify_hosts) Note, the verify fail was ignored byt this exim. > 5:02 > Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096) > LOG: MAIN > H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The > TLS connection was non-properly terminated. > SMTP(closed)<< The TCP connection was closed by the far end. Not by this end (exi, in client mode). Load-balancers and SMTP... I do not recommend the combination. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
