Join Log in
Score:0
SinaOwolabi avatar Server

Haproxy as a mail protocols reverse proxy with SSL termination

ng flag
SinaOwolabi

Looking for guidance of how to configure haproxy 2.4 in a container, to proxy for a mail server (all protocols, imap/s, smtp/s, pop3/s, http/s) and having haproxy doing ssl termination, but also sending properly to the encrypted ports (pop3s, imap/s, especially) on the backend mail server.

Here is my configuration:

 frontend smtp-in
  bind *:25
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend smtp if { req_ssl_sni -i mailer.example.com }

frontend imap-in
  bind *:143
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend imap if { req_ssl_sni -i mailer.example.com }

frontend smtps-in
  bind *:587 ssl crt /usr/local/etc/haproxy/ssl
  mode tcp
  tcp-request inspect-delay 5s
  use_backend smtps

frontend imaps-in
  bind *:993  ssl crt /usr/local/etc/haproxy/ssl
  mode tcp
  tcp-request inspect-delay 5s
  use_backend imaps

frontend pops-in
  bind *:995  ssl crt /usr/local/etc/haproxy/ssl
  mode tcp
  tcp-request inspect-delay 5s
  use_backend pops
  log /dev/log local0 info

frontend pop-in
  bind *:110
  mode tcp
  tcp-request inspect-delay 5s
  use_backend pop

backend smtp
  mode tcp
  server mailserver 192.168.2.254:25

backend imap
  mode tcp
  server mailserver 192.168.2.254:143

backend smtps
  mode tcp
  server mailserver 192.168.2.254:587

backend imaps
  mode tcp
  server mailserver 192.168.2.254:993

backend https
   mode tcp
   server mailserver 192.168.2.254:443

backend pop
   mode tcp
   server mailserver 192.168.2.254:110

backend pops
   mode tcp
   server mailserver 192.168.2.254:995

I am testing with pop3/s and so far requests are being rejected for SSL(pop3), and odd timeouts (pop3s).

Am I doing this correctly? Can someone please enlighten me?

438
1 + 2
dashohoxha avatar
in flag
dashohoxha
Maybe this discussion can help somehow: https://discourse.haproxy.org/t/smtp-imap-proxy-based-on-domain-pass-through/5480
0
Reply
SinaOwolabi avatar
ng flag
SinaOwolabi
Thanks, my takeaway from the discussion is 'But haproxy is definitely the wrong tool for this job.' I need to find something else.
0
Reply
Score:1
SinaOwolabi avatar Server
ng flag
SinaOwolabi

From here 'https://discourse.haproxy.org/t/smtp-imap-proxy-based-on-domain-pass-through/5480' it appears that 'haproxy is the wrong tool for the job'.

+ 2
dashohoxha avatar
in flag
dashohoxha
My opinion is that your approach (tcp proxy) is not the right one, because haproxy is one of the best tools for that. I believe that email tools (postfix etc.), if configured properly, can do what you are trying to achieve. But I am not able to show you how.
1
Reply
SinaOwolabi avatar
ng flag
SinaOwolabi
Uhh .... thanks, I think?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.