Haproxy secure smtp with TLS error
-
I've setup the latest haproxy-devel on pfsense router to load balance some web servers with great success. But I'm having this error in Maillog -'TLS handshaking: SSL_accept() syscall failed:' when using haproxy to load balance some SMTP servers
Configuration
.| frontend HAFronttls
bind 10.10.0.11:587 name 10.10.0.11:587 ssl no-sslv3 crt /var/etc/haproxy/HAFronttls.pem crt /var/etc/haproxy/HAFronttls transparent
mode tcp
log global
timeout client 30000
default_backend InfomixHAtls_tcp_ipv4backend InfomixHAtls_tcp_ipv4
mode tcp
log global
balance leastconn
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server server11 10.10.0.251:587 check inter 60000
server controller 10.10.0.8:587 check inter 60000 |Any help will be greatly appreciated. Thanks
-
You might want to try and enable the 'ssl' checkbox on the servers so the backend connection is also encrypted.
However it might still be troublesome to get it working as :587 normally uses STARTTLS and only starts encrypting traffic after some plaintext smtp commands have already passed. This will likely cause some issues further down the road, if you get it working or run into more trouble either way please do share your results :) -
when I set stick persistence to Stick on Source IPv4 I get this errors
| Errors found while starting haproxy
[ALERT] 244/195048 (73937) : parsing [/var/etc/haproxy_test/haproxy.cfg:104] : stick-table: unexpected character 'e' in argument of 'size'.
[ALERT] 244/195048 (73937) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] 244/195048 (73937) : Proxy 'InfomixHAimaps_tcp_ipvANY': stick-table 'InfomixHAimaps_tcp_ipvANY' used but not configured.
[ALERT] 244/195048 (73937) : Fatal errors found in configuration.
|Is this bug in Pfsense Haproxy package
-
Have you filed in the "Stick-table expire" and "Stick-table size" values? Perhaps i should add a check that they must be filled if a sticktable is to be used..
-
Thanks for a quick reply!