Without wishing to second guess your operational setup, are all of those
services (client machines, haproxy, anti-spam boxes) on your network i.e.
do they *need* TLS?

Given the insecure nature of email, and the lack of guarantees which you
(or anyone) can make about subsequent point-to-point transport layer
security, would it not simply be easier to disable all TLS in that setup?

Just a thought :-)
J

On Tue, 9 Jun 2020 at 12:34, Brent Clark <brentgclarkl...@gmail.com> wrote:

> Good day Guys
>
> I was hoping I can pick you brain and ask for your help.
> If any can help and share pointers, it would gratefully be appreciated.
>
> Where I work, we just inherited a series of third party out going spam
> servers.
> For various reason, we need to loadbalance but more importantly direct
> traffic for when we need to perform maintenance on these servers.
>
> What we decided so use and do is put haproxy in front.
>
> The intended topology is:
> [clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers]
>
> On odd occasion we see the following error message(s) on the clients
> MTAs. And the mail just sits in the queue. When we revert back, it all
> flows.
>
> ---------------------------------------------
> TLS error on connection (recv): The TLS connection was non-properly
> terminated.
>
> Remote host closed connection in response to end of data.
> ---------------------------------------------
>
> We cant figure it out, and why.
> What we think is happening is. There is a cert miss match. And as a
> result Exim just refuses to send or accept the mail.
>
> Here is a snippet of when I run exim4 -d -M ID of a mail in the queue on
> the client MTA.
>
> gnutls_handshake was successful
> TLS certificate verification failed (certificate invalid):
> peerdn="CN=antispam6-REMOVED"
> TLS verify failure overridden (host in tls_try_verify_hosts)
> 5:02
> Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096)
> LOG: MAIN
>    H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The
> TLS connection was non-properly terminated.
>    SMTP(closed)<<
> ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is
> not NULL
> tls_close(): shutting down TLS
>    SMTP(close)>>
> LOG: MAIN
>
> One of the things we were thinking is, is that name of the LB is not in
> the SAN cert of the out going spam server.
> The other thing we realized is, we do not do / use SSL termination on
> the haproxy. Do we need to do that?
>
> We are not an experts on TLS and crypto protocols.
>
> If anyone can help. It would be great.
>
> Kindest regards and many thanks.
> Brent Clark
>
> --
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html

Reply via email to