Most of the examples I’m finding are terminating an explicit SSL stream or HTTP proxies. I’m able to terminate SMTPS/IMAPS/POP3S no problem, but running into difficulty with switching backends when SSL is negotiated via STARTTLS.
First, is it even possible for haproxy to change its backend during communication if
req_ssl_hello_type is present?
If so, then is this a pipe dream? Read data on *:143, connect to the normal unencrypted backend (127.0.0.1:1430), then when
req_ssl_hello_type comes across the wire, redirect the stream to *:993, which is another haproxy frontend with SNI support to terminate SSL, then send that to 127.0.0.1:1430.
This old posting for Exchange 2010 hints I’m chasing something unattainable.