HAProxy for IMAP/S help needed

Started by boku, April 17, 2025, 08:49:54 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 04:16:46 PM #15
That linked guide does not cover anything but HTTPS traffic.

With IMAP and SMTP, you will have a hard time to terminate the TLS traffic on HAproxy, because it cannot handle STARTTLS (i.e. opportunistic TLS). The only possible way to to it would be to use implicit TLS on ports 993 and 465. However, many E-Mail clients seem to want STARTTLS.

Also, the specific backend is problematic as well: For example, for Postfix, you will want to have SMTP auth, but usually, this is allowed only, if TLS is active - but on Postfix itself, as it does not know that there is a TLS wrapper active, when you contact it without TLS.

So, this is really a can of worms:

1. You have to make the client work with implicit TLS (i.e. without STARTTLS).
2. You have to make the backend (aka "real server") not offer STARTTLS (which it normally will do, because it thinks there is no TLS layer yet).
3. You have to enable the backend to offer authentication despite no TLS layer being present apparently.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages 1 2
User actions