Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi,

On 31.08.2015 13:44, Lukas Erlacher wrote:
> Hi,
> 
>>
>> Could be send your complete config and remove private information? Could
>> you also please give us the output of haproxy -vv?
>>
> 
> Full config: http://ix.io/ky6

thanks.
> 
> haproxy -vv:
> 
> HA-Proxy version 1.5.3 2014/07/25
> Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
> 
> Build options :
>   TARGET  = linux2628
>   CPU     = generic
>   CC      = gcc
>   CFLAGS  = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2
>   OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
> 
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.8
> Compression algorithms supported : identity, deflate, gzip
> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.31 2012-07-06
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
> 
> Available polling systems :
>       epoll : pref=300,  test result OK
>        poll : pref=200,  test result OK
>      select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> 
looks good to me

> Best,
> Luke
> 

Well I created a very simple config.

/etc/haproxy.cfg
global
        maxconn 65000
        ulimit-n 85535
        uid 0
        gid 0
        daemon
        stats socket /var/run/haproxy.stat level admin

        nbproc 1

        cpu-map all 1 2
        ssl-server-verify none

        tune.ssl.default-dh-param 2048

defaults
        mode    tcp
        no option http-server-close
        timeout connect 5000
        timeout client  50000
        timeout server  50000

listen app1
        bind :8080
        mode http
        stats enable
        stats uri /
        maxconn 200


frontend ft_smtps
        bind :465
        timeout client 1m
        default_backend bk_postfix_smtps

backend bk_postfix_smtps
        option tcp-check
        timeout server 1m
        timeout connect 5s
        server mail-1 172.1.1.21:10464 send-proxy check

/etc/postfix/master.cf on 172.1.1.21
10464     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_upstream_proxy_protocol=haproxy


Would you mind trying ?

10464 inet n - n - - smtpd

instead of

10464 inet n - - - - smtpd

For haproxy...

The only differnce is that you use chroot and user haproxy.. Cou,ld you
please try with the default and global section in the minimal example?


cheers
thomas