Hi, On 28.08.2015 12:23, Lukas Erlacher wrote: > Hello, > > firstly, I am aware that SMTPS is deprecated and should not be used. But > I have to support legacy infrastructure and the person who can tell me > that it is fine to turn off SMTPS isn't around atm, so I'm trying to > make this work.
so you just have another port to take care about it. > > I have a postfix server with SMTPS, this is the master.cf configuration: > > 10464 inet n - - - - smtpd > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_upstream_proxy_protocol=haproxy > Hey cool, I was not aware that smtpd also supports haproxy's proxy protocol. But I can confirm you modifications in in master.cf are correct. > This is the haproxy configuration: > > frontend ft_smtps > bind 0.0.0.0 ssl crt haproxy.combined.key.pem > timeout client 1m > log global > option tcplog > default_backend bk_postfix_smtps > This wont work I think. You should just be fine with bind :465 -- bind :465 mode tcp maxconn 2000 .. default ... -- > backend bk_postfix_smtps > option smtpchk HELO localhost > log global > option tcplog > timeout server 1m > timeout connect 5s > server mailbackend mail:10464 ssl verify none send-proxy check > option smtpcheck wont work with ssl, so please remove it. please try a server line like -- server mailbackend mail:10464 send-proxy check-send-proxy check port 10464 rise 1 fall 1 inter 1000 -- > I get this message from haproxy: > > Aug 28 12:15:53 haproxy haproxy[1962]: message repeated 3 times: [ > Server bk_postfix_smtps/mailbackend is DOWN, reason: Layer6 timeout, > check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions > active, 0 requeued, 0 remaining in queue.] indeed, this should be caused by option smtpcheck. > > And this from the postfix: > > Aug 28 12:15:51 mail postfix-from-user/smtpd[16561]: connect from > haproxy[XXX.XXX.42.4] > Aug 28 12:15:53 mail postfix-from-user/smtpd[16561]: SSL_accept error > from haproxy[XXX.XXX.42.4]: Connection reset by peer > Aug 28 12:15:53 mail postfix-from-user/smtpd[16561]: lost connection > after CONNECT from haproxy[XXX.XXX.42.4] this sound like you dont speak ssl to postfix. > > Any idea? > > I've also tried setting it up without ssl termination, which doesn't > work - I am assuming the PROXY protocol can't work without termination. > indeed, do it without ssl termination, just pure tcp and proxy protocol. > Best > Luke > > cheers, thomas
