HAProxy for IMAP/S help needed

Started by boku, April 17, 2025, 08:49:54 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
June 07, 2025, 04:16:46 PM #15 Last Edit: Today at 02:10:10 PM by meyergru
That linked guide does not cover anything but HTTPS traffic.

With IMAP and SMTP, you will have a hard time to terminate the TLS traffic on HAproxy, because it cannot handle STARTTLS (i.e. opportunistic TLS). The only possible way to to it would be to use implicit TLS on ports 993 and 465. However, many E-Mail clients seem to want STARTTLS.

Also, the specific backend is problematic as well: For example, for Postfix, you will want to have SMTP auth, but usually, this is allowed only, if TLS is active - but on Postfix itself, as it does not know that there is a TLS wrapper active, when you contact it without TLS.

So, this is really a can of worms:

1. You have to make the client work with implicit TLS (i.e. without STARTTLS).
2. You have to make the backend (aka "real server") not offer STARTTLS (which it normally will do, because it thinks there is no TLS layer yet).
3. You have to enable the backend to offer authentication despite no TLS layer being present apparently.
4. Postfix can skip STARTTLS via "smtp_tls_wrappermode=yes", but not selectively per destination.

The easier way is to let Postfix handle TLS termination itself and just use HAproxy as a TCP proxy. which is trivial to set up.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 07, 2025, 09:59:18 PM #16 Last Edit: Today at 02:11:05 PM by meyergru
Here are the settings for TLS termination of SMTP (notice the caveat at the end):

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.

In Postfix, you will have to use something like this in master.cf:

Code Select
# Backend to HAproxy: no TLS, but use authentication anyway
10465       inet  n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=none
  -o smtpd_tls_auth_only=no
  -o smtpd_upstream_proxy_protocol=haproxy

This is to use no TLS for the backend, but allow for authentication anyway. Also, you can specify that HAproxy is used as an upstream proxy. This is mirrored by the "Proxy Protocol" setting in the backend pool. Also, there is a "send-proxy-v2-ssl" option in the real server settings in order to pass SSL options to Postfix.

However, note, that becaus HAproxy cannot handle STARTTLS, this connections always expects a TLS handshake at start (this is the old SUBMISSIONS/SMTPS protocol). That means, that e.g. a Postfix SMTP client must use smtp_tls_wrappermode=yes to skip STARTTLS. This option is global, though, so you cannot easily specify that for specific destinations.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 07, 2025, 10:05:32 PM #17 Last Edit: Today at 02:11:31 PM by meyergru
And these are the settings for TLS termination of IMAP:

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.

In Dovecot, you will need to set something like:

Code Select
haproxy_trusted_networks = 192.168.1.1

service imap-login {
  inet_listener imapha {
    port = 10143
    haproxy = yes
  }
}

This is to enable the HAproxy protocol and to allow it to be used from a specific IP (or range).

As with the SMTP backend, you will need to enable the V2 proxy protocol, including the SSL options.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages 1 2
User actions