Without wishing to second guess your operational setup, are all of those services (client machines, haproxy, anti-spam boxes) on your network i.e. do they *need* TLS?
Given the insecure nature of email, and the lack of guarantees which you (or anyone) can make about subsequent point-to-point transport layer security, would it not simply be easier to disable all TLS in that setup? Just a thought :-) J On Tue, 9 Jun 2020 at 12:34, Brent Clark <brentgclarkl...@gmail.com> wrote: > Good day Guys > > I was hoping I can pick you brain and ask for your help. > If any can help and share pointers, it would gratefully be appreciated. > > Where I work, we just inherited a series of third party out going spam > servers. > For various reason, we need to loadbalance but more importantly direct > traffic for when we need to perform maintenance on these servers. > > What we decided so use and do is put haproxy in front. > > The intended topology is: > [clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers] > > On odd occasion we see the following error message(s) on the clients > MTAs. And the mail just sits in the queue. When we revert back, it all > flows. > > --------------------------------------------- > TLS error on connection (recv): The TLS connection was non-properly > terminated. > > Remote host closed connection in response to end of data. > --------------------------------------------- > > We cant figure it out, and why. > What we think is happening is. There is a cert miss match. And as a > result Exim just refuses to send or accept the mail. > > Here is a snippet of when I run exim4 -d -M ID of a mail in the queue on > the client MTA. > > gnutls_handshake was successful > TLS certificate verification failed (certificate invalid): > peerdn="CN=antispam6-REMOVED" > TLS verify failure overridden (host in tls_try_verify_hosts) > 5:02 > Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096) > LOG: MAIN > H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The > TLS connection was non-properly terminated. > SMTP(closed)<< > ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is > not NULL > tls_close(): shutting down TLS > SMTP(close)>> > LOG: MAIN > > One of the things we were thinking is, is that name of the LB is not in > the SAN cert of the out going spam server. > The other thing we realized is, we do not do / use SSL termination on > the haproxy. Do we need to do that? > > We are not an experts on TLS and crypto protocols. > > If anyone can help. It would be great. > > Kindest regards and many thanks. > Brent Clark > > -- Jonathan Matthews London, UK http://www.jpluscplusm.com/contact.html