We are using an external email marketing system to send through HAProxy which load balances to our cluster of Postfix email servers. I start the campaign and it begins but after a few minutes we get an error on the email marketing system side that says below. Thinking there could be a delay with SSL, I have tried to bypass SSL and go straight to port 20 with no encryption as well and I still get the error.
The email marketing system requires a 5 second delay between emails. I am not sure if their system is requiring some sort of heartbeat response that normal email servers would send. In no way would I consider my configuration an expert configuration and I would assume there is definitely an issue with the config setup. I do get SSL connection errors too so it could be something with the ciphers. I did try and use the Mozilla Cipher (https://ssl-config.mozilla.org/) with the same results. Thanks in advance for the support.
Error from Marketing System
ssl://172.x.x.x:465 Timed Out errNo=69585
HAProxy Version
HAProxy version 2.4.7-b5e51a5 2021/10/04 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.7.html
Running on: Linux 3.10.0-1160.42.2.el7.x86_64 #1 SMP Tue Sep 7 14:49:57 UTC 2021 x86_64
HAProxy Config
global
log 127.0.0.1 local0
stats socket /var/lib/haproxy/stats level admin
chroot /var/lib/haproxy
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3
ssl-server-verify none
tune.ssl.default-dh-param 2048
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option dontlognull
option splice-auto
option socket-stats
option clitcpka
timeout connect 10s
timeout client 5m
timeout server 5m
frontend mtafrontend
bind 0.0.0.0:25
mode tcp
acl whitelist src -f /etc/haproxy/whitelisted.ips
tcp-request connection accept if whitelist
tcp-request connection reject
log 127.0.0.1 local0 debug
default_backend mtabackend
frontend mtafrontend_smtps
bind 0.0.0.0:465 ssl crt /etc/letsencrypt/live/haproxy_cert.pem ciphers TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH
mode tcp
acl whitelist src -f /etc/haproxy/whitelisted.ips
tcp-request connection accept if whitelist
tcp-request connection reject
option tcplog
log 127.0.0.1 local0 debug
default_backend mtabackend
frontend mtafrontend_submission
bind 0.0.0.0:587
mode tcp
acl whitelist src -f /etc/haproxy/whitelisted.ips
tcp-request connection accept if whitelist
tcp-request connection reject
option tcplog
log 127.0.0.1 local0 debug
default_backend mtabackend
backend mtabackend
mode tcp
option tcplog
option tcp-check
tcp-check connect port 25
option log-health-checks
option srvtcpka
log 127.0.0.1 local1 debug
balance roundrobin
server mta1-cust.domain.com 216.0.0.0:25 cookie mta1-cust.domain.com check port 25 inter 5s
server mta2-cust.domain.com 168.0.0.0:25 cookie mta2-cust.domain.com check port 25 inter 5s