HAproxy SMTP mail config

Help!
1

Hi all. Love HAproxy, I use it a lot :slight_smile:

I am playing with trying to make my exim4/dovecot SMTP server HA (rather active-backup for now) and I am looking for the advices. This configuration bellow works, but I still don’t think it is perfected and I am still having some problems.

1.) Using Iphone mail app, time to time I get a notification pop-up that R3 (letsencrypt SSL which I am using for this) is not trusted. I don’t know if I should buy another SSL, or if even SSL termination works best in this scenario, but i can’t make passthrough configuration, since the SSL on the origin is issued by letsencrypt and only for the domain mail.domain.com and I am missing mailproxy.example.com (domain on the haproxy) as SAN.
2.) You guys think I am routing (for example: submission to TCP 25 origin server) SMTP/submission ports the right way?

Thank you

My config:

###
# SUBMISSION
###

frontend submission_frontend
    bind *:587 name submissionssl ssl crt /etc/haproxy/ssl/mailproxy.domain.com.pem
    mode tcp
    option tcplog

    default_backend submission_backend

backend submission_backend
    email-alert mailers smtp_domain
    email-alert level debug
    email-alert from alarm@domain.com
    email-alert to alarm@tdomain.com

    mode tcp
    server Cloud mail.domain.com:25 check fall 3 port 587 fall 3 rise 2 on-marked-down shutdown-sessions send-proxy-v2
    server Primary mailbackup.domain.com:25 check backup port 587 fall 3 rise 2 on-marked-down shutdown-sessions


###
# SMTP
###
frontend smtp_frontend
   bind *:25
   mode tcp
   option tcplog

   default_backend smtp_backend

backend smtp_backend
    email-alert mailers smtp_domain
    email-alert level debug
    email-alert from alarm@domain.com
    email-alert to alarm@tdomain.com

    mode tcp
    server Cloud mail.domain.com:25 check port 465 fall 3 rise 2 on-marked-down shutdown-sessions send-proxy-v2
    server Primary mailbackup.domain.com:25 check backup port 465 fall 3 rise 2 on-marked-down shutdown-sessions send-proxy-v2


###
# SMTPs
###
frontend smtps_frontend
    bind *:465 name smtpssl ssl crt /etc/haproxy/ssl/mailproxy.domain.com.pem
    mode tcp
    option tcplog

    default_backend smtps_backend

backend smtps_backend
    email-alert mailers smtp_domain
    email-alert level debug
    email-alert from alarm@domain.com
    email-alert to alarm@tdomain.com

    mode tcp
    server Cloud mail.domain.com:25 check port 465 fall 3 rise 2 on-marked-down shutdown-sessions send-proxy-v2
    server Primary mailbackup.domain.com:25 check backup  port 465 fall 3 rise 2 on-marked-down shutdown-sessions send-proxy-v2




###
# IMAPs
###

frontend imaps_frontend
    bind *:993 name imapssl ssl crt /etc/haproxy/ssl/mailproxy.domain.com.pem
    mode tcp
    option tcplog

    default_backend imaps_backend

backend imaps_backend
    email-alert mailers smtp_domain
    email-alert level debug
    email-alert from alarm@domain.com
    email-alert to alarm@tdomain.com

    mode tcp
    stick store-request src
    stick-table type ip size 200k expire 30m
    server Cloud mail.domain.com:10993 ssl check fall 3 send-proxy-v2 verify none
    server Primary mailbackup.domain.com:10993 ssl check backup send-proxy-v2 verify none
2

Make sure you are serving the proper intermediate certificate.

Tools like testssl.sh (interactive) or check_ssl_cert (for monitoring) can help you there. And you want to continue to monitor this.

No. Port 587 is plaintext SMTP with a STARTLS upgrade to SSL/TLS. You can’t configure haproxy do this this, because haproxy does not speak SMTP at all.

Haproxy can terminate SSL on implicit SSL speaking ports only, for example port 465.

If your setup allows, drop port 587 altogether, it is considered obsolete:

3

Thank you for the response.

As for the 1.) issue I was reading more, and looks like iphone does checks for SSL only using 443 https protocol and since I dont have that configuration and only for the mail, i get this errors time to time (if that was correct, found on the google).

Issue 2.) Noted. I will drop submission port (since i dont need it) and implement flow based on the SMTPs port 465.
So my haproxy configuration SMTPs configuration, what do you think about that? Should I need to improve it?

4

I don’t know why you are health checking for port 587 for traffic that will use port 25, I’d suggest to keep it as simple and straightforward as possible.

I don’t know if you backend supports the proxy-v2 protocol, but it if works, it should be fine.