Dovecot SSL Cert Problem


#1

I’m trying to loadbalance a few dovecot instances and the SSL cert being shown to the users is the dovecot server’s not the HAproxy version. The documentation for this is sparse and scattered, so I couldn’t make a perfect setup that gave valid ssl certs. Does each dovecot server need to have a cert with the haproxy domain for this to work?

Here’s my config:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen webForward
        bind :443 ssl crt /etc/ssl/private/certprivkey.pem no-sslv3
        #mode tcp 
        reqadd X-Forwarded-Proto:\ https
        default_backend www-backend

backend www-backend
        redirect scheme https if !{ ssl_fc }
        #mode tcp
        balance roundrobin
        stick-table type ip size 200k expire 30m
        stick on src
        server s1 6x.xxx.xx.xxx:443

listen dovecot-imap
        bind :993 
        mode tcp
        #option ssl-hello-chk
        option http-keep-alive
        balance first
        tcp-check connect port 993
        tcp-check expect string *\ OK
        stick-table type ip size 200k expire 15m
        stick on src
        timeout server 1m
        timeout connect 1m
        timeout client 5m
        server s1 10.0.0.1:10993 send-proxy-v2
        server s2 10.0.0.2:10993 send-proxy-v2

#2

Do you want Haproxy to handle SSL and connect to the backend in cleartext (no SSL)?

Then you need to use the ssl keyword on the frontend, and a cleartext destination port on the backend.

Please check the following 4 changes:

**frontend** webForward <-- this is a frontend section, not a listen section
        bind :443 ssl crt /etc/ssl/private/certprivkey.pem no-sslv3
        #mode tcp 
        reqadd X-Forwarded-Proto:\ https
        default_backend www-backend

backend www-backend
        redirect scheme https if !{ ssl_fc }
        #mode tcp
        balance roundrobin
        stick-table type ip size 200k expire 30m
        stick on src
        server s1 6x.xxx.xx.xxx:**80** <--- cleartext port 80 here

listen dovecot-imap
        bind :993 **ssl crt /etc/ssl/private/certprivkey.pem no-sslv3** <-- specify the ssl keyword, along with certificate configuration here
        mode tcp
        #option ssl-hello-chk
        option http-keep-alive
        balance first
        tcp-check connect port 993
        tcp-check expect string *\ OK
        stick-table type ip size 200k expire 15m
        stick on src
        timeout server 1m
        timeout connect 1m
        timeout client 5m
        server s1 10.0.0.1:**143** send-proxy-v2 <-- should be a cleartext port!
        server s2 10.0.0.2:**143** send-proxy-v2 <-- should be a cleartext port!

#3

That did the trick. But, lets say I didn’t have an encrypted subnet to protect the unencrypted traffic… could haproxy accept the dovecot ssl cert, but show the haproxy ssl cert?


#4

Yes, to enable a “SSL client” towards your backend server, simply specify the ssl keyword:

server s1 10.0.0.1:10993 ssl send-proxy-v2
server s2 10.0.0.2:10993 ssl send-proxy-v2


#5

That did it. thank you!