HAProxy community

Terminating opportunistic TLS (STARTTLS)


Most of the examples I’m finding are terminating an explicit SSL stream or HTTP proxies. I’m able to terminate SMTPS/IMAPS/POP3S no problem, but running into difficulty with switching backends when SSL is negotiated via STARTTLS.

First, is it even possible for haproxy to change its backend during communication if req_ssl_hello_type is present?

If so, then is this a pipe dream? Read data on *:143, connect to the normal unencrypted backend (, then when req_ssl_hello_type comes across the wire, redirect the stream to *:993, which is another haproxy frontend with SNI support to terminate SSL, then send that to

This old posting for Exchange 2010 hints I’m chasing something unattainable.



No, because this is negotiated at application layer which means haproxy would actually have to implement at least a part of the handshake of every single one of those protocols.

No, because there would already have been a POP/IMAP/SMTP handshake with some other backend.

For this to work haproxy would have to intercept the handshake of all those protocols and insert a STARTTLS negotiation.



Oh bummer. Thanks for answering my questions!