Good day Guys

I was hoping I can pick you brain and ask for your help.
If any can help and share pointers, it would gratefully be appreciated.

Where I work, we just inherited a series of third party out going spam servers. For various reason, we need to loadbalance but more importantly direct traffic for when we need to perform maintenance on these servers.

What we decided so use and do is put haproxy in front.

The intended topology is:
[clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers]

On odd occasion we see the following error message(s) on the clients MTAs. And the mail just sits in the queue. When we revert back, it all flows.

TLS error on connection (recv): The TLS connection was non-properly terminated.

Remote host closed connection in response to end of data.

We cant figure it out, and why.
What we think is happening is. There is a cert miss match. And as a result Exim just refuses to send or accept the mail.

Here is a snippet of when I run exim4 -d -M ID of a mail in the queue on the client MTA.

gnutls_handshake was successful
TLS certificate verification failed (certificate invalid): peerdn="CN=antispam6-REMOVED"
TLS verify failure overridden (host in tls_try_verify_hosts)
Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096)
H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The TLS connection was non-properly terminated.
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
tls_close(): shutting down TLS

One of the things we were thinking is, is that name of the LB is not in the SAN cert of the out going spam server. The other thing we realized is, we do not do / use SSL termination on the haproxy. Do we need to do that?

We are not an experts on TLS and crypto protocols.

If anyone can help. It would be great.

Kindest regards and many thanks.
Brent Clark

Reply via email to