HAProxy / Lets Encrypt / Postfix - Dovecot
-
Is this configuration possible?
pfSense / HAProxy will offload the SSL (w/ ACME cert) and forward on to the postfix dovecot server with a self signed certificate. The idea is that ACME will renew the certificates with HAProxy decrypting (using LetsEncrypt Cert) and re-encrypting with the self signed certificate, which will not expire (in a reasonable amount of time) and the data will be encrypted to the back end.
My assumption is that it's totally possible, but I don't want to go down a rabbit hole to find out its not. If anyone has done this type of configuration, any pointers or things to watch out for?
-
To make this easier to understand.
Is it for securing the mail protocols (ie IMAPS) or for a webfront on the mailserver?
I have done the later -
I don't think that's going to work properly. Especially for clients that want to do STARTTLS. HAProxy doesn't know enough about SMTP/POP3/IMAP protocols to actually proxy the protocols, just the TCP/TLS portion.
So it might work for some cases but I don't think you or your clients would be happy with the limitations.
Setup your acme client/acme.sh/certbot/whatever on the mail server directly and let it have its own certificate directly. Or setup ACME on pfSense to write the certs out and then have the mail server periodically fetch them from there and reload. Or have a script push them from pfSense to the mail server.
-
I'm using postfix myself on a dedicated server.
No firewall what so ever that protects the mail ports 25, 465 and 587 - 465 and 587 being used by my mail clients, as 993 SIMAP and 995 SPOP, 110 and 143 are abandoned these days, and not postfix related.
Even STARTTLS (587) starts to fade out, it's all"465" = SMTPS these days.postfix uses the same certs from LetsEnscrypt / acme.sh as the web servers on that server.
Most mails leave and enter saying " .... Trusted TLS connection established from/to .... " on port 25.What I want to say : postfix, IMHO, seems rock solid to me, and can be exposed to the net directly.
Note : I do have fail23ban scanning my main postfix mail log so it can block the mail-port hammers, and other mail servers that do not support my "minimum mail protocol requirements".
@jimp said in HAProxy / Lets Encrypt / Postfix - Dovecot:
Setup your acme client/acme.sh/certbot/whatever on the mail server directly and let it have its own certificate directly. Or setup ACME on pfSense to write the certs out and then have the mail server periodically fetch them from there and reload. Or have a script push them from pfSense to the mail server.
My acme.sh "deploy.sh" hook script :
#!/bin/sh set -e check_path="/root/.acme.sh/${Le_Domain}/${Le_Domain}.conf" destination="/etc/ssl/" destinationdir=${destination}${Le_Domain} if [ -f $check_path ]; then if [ ! -d $destinationdir ]; then mkdir $destinationdir fi cat $CERT_KEY_PATH $CERT_FULLCHAIN_PATH ${destination}dh/RSA4096.pem > ${destinationdir}/${Le_Domain}.pem cp $CERT_KEY_PATH ${destinationdir}/${Le_Domain}.key chmod 400 ${destinationdir}/${Le_Domain}.pem chmod 400 ${destinationdir}/${Le_Domain}.key service apache2 reload >/dev/null service postfix reload >/dev/null # courier will also use these certs. service courier-pop-ssl force-reload >/dev/null service courier-imap-ssl force-reload >/dev/null # exception - extra treatment : if [ "$Le_Domain" == "yyyy.xxxx-bbbb.org" ]; then service monit reload >/dev/null service webmin restart >/dev/null fi ACCOUNT_EMAIL=gw.kroeb@gmail.com cat <<-EOF | mail -r acme@aaaa-vvvvv.tld -s "Certificates renewed" $ACCOUNT_EMAIL Renewed the following certificate(s): Host: $Le_Domain $(/root/.acme.sh/acme.sh --version 2>&1) EOF fi
used by acme.sh :
--deploy-hook The hook file to deploy cert
where the hook file is this "deploy.sh"
For every cert on my server, the using processes are restarted / reloaded.edit : note : the acme.sh usage above is not to be confonded with the"acme.sh" version used by the LetEnsrypt package written by Jimp.
-
Thanks for the information. I think I will setup a more conventional method to have the certs on the mail server. Just wanted to see if it was possible and not to go down the rabbit hole and waist lots of hours and head scratching trying to implement something that is not doable.
RHLinux
-
@Gertjan That's not true. SMTP 465 is deprecated. Should use 587 Submission.
Proxying SMTP & IMAP using Haproxy will not work, You can set smtpd_upstream_proxy_protocol=haproxy in main.cf for Postfix but the problem is that IPs for SPAM filtering will not proxy pass.
I suggest not bothering, this will waste your life away, Haproxy is a HTTP Load Balancer not a SMTP/IMAP Load Balancer, better to Open Port 25, 587 & 993 NAT -> Port Fowarding then use Port 443 for Webmail through Haproxy.
Clients that use STARTTLS will not work and will not Initialize through Haproxy.
Old Post I know but this is more for people that comes across this in the future.
Regards.