• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HaProxy Postfix ssl offloading

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 3 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rainbowHash
    last edited by rainbowHash Aug 8, 2019, 11:33 AM Aug 8, 2019, 11:33 AM

    Hello PfSense gurus i would like to ask the following question since after search the forum for around 2 hours i was not able to find an aswer to this:

    I am trying to run postfix/dovecot in a VM behind pfSense with HA Proxy.

    The reason i want to do that is because i would like PfSense to handle all certificates that are issued from LetsEncript.
    So far HAProxy is doing ssl offloading for http and https traffic and that works really well. I would like to do the same for postfix and dovecot.
    i.e. i would like to offload port 465 and 993 to go directly to 25 and 143 correspondingly

    However the first thing i bumped into is on the PfSense side i needed to change the mode from http to tcp according to this page

    [https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/](link url)

    now If i change the mode trough

    Services -> HAProxy -> Frontend myforntend -> Edit HAProxy Frontend > type

    it says ssl/https(TCP mode) but it does not says offloading

    Does that mean that it will not offload the tls ? I guess it does do offloading since when i try to connect i.e. i get the letsencript certificate but i immediatelly get closed.

    openssl s_client -connect mail.myDomain.com:465 
    ....
    ---
    closed
    

    I did enabled the option i.e. in the postfix main.cf the entry

    postscreen_upstream_proxy_protocol = haproxy
    

    but i do not know where to configure the haproxy backend on Pfsense to enable the send-proxy option i.e. it should look like that for example

    backend bk_postfix
      mode tcp
      log global
      option tcplog
      timeout server 1m
      timeout connect 5s
      server postfix 127.0.0.1:10024 send-proxy
    

    but currently on the firewall i see
    if i do on the firewall

    cat /var/etc/haproxy/haproxy.cfg

    backend SMTPServer_ipvANY
           mode                    tcp
           id                      102
           log                     global
           timeout connect         30000
           timeout server          30000
           retries                 3
           option                  smtpchk HELO 
           server                  mail.myDomain.com 192.168.11.1:25 id 103 check inter 1000  
    
    
    frontend smtp.mail.myDomain.com.465
           bind                    MY_PUBLIC_IP_HERE:465 name MY_PUBLIC_IP_HERE:465   ssl crt-list /var/etc/haproxy/smtp.mail.myDomain.com.465.crt_list  
           mode                    tcp
           log                     global
           timeout client          30000
           acl                     ACL465  src MY_PUBLIC_IP_HERE
           use_backend SMTPServer_ipvANY  if  ACL465
    

    Where can i enable that "send-proxy" option in the PfSense GUI. Is there any documentation about this somewhere how this can be properly configured?

    Many thanks in advanced

    P 1 Reply Last reply Aug 10, 2019, 11:56 AM Reply Quote 0
    • G
      Gertjan
      last edited by Aug 8, 2019, 3:41 PM

      Not a solution but a proposition :

      postfix is just happy with the acme (Letenscrypt) certs that pfSense can generates - my mail server uses acme and postfix to handle all the SSL stuff (pop / imap included using "courier" ).
      Why not copying (scripting :) )the cert to the postfix machine - and use a more classic postfix setup ?
      NAT ports 25 - 465 - 587 through pfSense to the postfix machine and your done.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • R
        rainbowHash
        last edited by Aug 8, 2019, 4:15 PM

        Gertjan,

        many thanks for the reply. I do understand what you are saying and this might work but the first problem i have is that i do not have such script and since http ofloading is working jut great i was thing that this might be a good idea to try the same with postfix. I then found that the proxy protocol is even implemented for dovecot and since those are defacto the standard mail gateways nowadays under the most Linux distribution i though that i will a good ways to separate the concerns i.e. certificates on the firewall and services behind them. But i would be glad to try even a script. Can you share your script with me ?

        1 Reply Last reply Reply Quote 0
        • P
          PiBa @rainbowHash
          last edited by Aug 10, 2019, 11:56 AM

          @rainbowHash said in HaProxy Postfix ssl offloading:

          where to configure the haproxy backend on Pfsense to enable the send-proxy option

          You can manually write such a option in the advanced server pass-tru options text field. Either per server separately if you edit a server and expand the extra options part of each server. Or in the the box that applies 'to all servers' in that backend.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received