HaProxy Postfix ssl offloading

  • Hello PfSense gurus i would like to ask the following question since after search the forum for around 2 hours i was not able to find an aswer to this:

    I am trying to run postfix/dovecot in a VM behind pfSense with HA Proxy.

    The reason i want to do that is because i would like PfSense to handle all certificates that are issued from LetsEncript.
    So far HAProxy is doing ssl offloading for http and https traffic and that works really well. I would like to do the same for postfix and dovecot.
    i.e. i would like to offload port 465 and 993 to go directly to 25 and 143 correspondingly

    However the first thing i bumped into is on the PfSense side i needed to change the mode from http to tcp according to this page

    [https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/](link url)

    now If i change the mode trough

    Services -> HAProxy -> Frontend myforntend -> Edit HAProxy Frontend > type

    it says ssl/https(TCP mode) but it does not says offloading

    Does that mean that it will not offload the tls ? I guess it does do offloading since when i try to connect i.e. i get the letsencript certificate but i immediatelly get closed.

    openssl s_client -connect mail.myDomain.com:465 

    I did enabled the option i.e. in the postfix main.cf the entry

    postscreen_upstream_proxy_protocol = haproxy

    but i do not know where to configure the haproxy backend on Pfsense to enable the send-proxy option i.e. it should look like that for example

    backend bk_postfix
      mode tcp
      log global
      option tcplog
      timeout server 1m
      timeout connect 5s
      server postfix send-proxy

    but currently on the firewall i see
    if i do on the firewall

    cat /var/etc/haproxy/haproxy.cfg

    backend SMTPServer_ipvANY
           mode                    tcp
           id                      102
           log                     global
           timeout connect         30000
           timeout server          30000
           retries                 3
           option                  smtpchk HELO 
           server                  mail.myDomain.com id 103 check inter 1000  
    frontend smtp.mail.myDomain.com.465
           bind                    MY_PUBLIC_IP_HERE:465 name MY_PUBLIC_IP_HERE:465   ssl crt-list /var/etc/haproxy/smtp.mail.myDomain.com.465.crt_list  
           mode                    tcp
           log                     global
           timeout client          30000
           acl                     ACL465  src MY_PUBLIC_IP_HERE
           use_backend SMTPServer_ipvANY  if  ACL465

    Where can i enable that "send-proxy" option in the PfSense GUI. Is there any documentation about this somewhere how this can be properly configured?

    Many thanks in advanced

  • Not a solution but a proposition :

    postfix is just happy with the acme (Letenscrypt) certs that pfSense can generates - my mail server uses acme and postfix to handle all the SSL stuff (pop / imap included using "courier" ).
    Why not copying (scripting :) )the cert to the postfix machine - and use a more classic postfix setup ?
    NAT ports 25 - 465 - 587 through pfSense to the postfix machine and your done.

  • Gertjan,

    many thanks for the reply. I do understand what you are saying and this might work but the first problem i have is that i do not have such script and since http ofloading is working jut great i was thing that this might be a good idea to try the same with postfix. I then found that the proxy protocol is even implemented for dovecot and since those are defacto the standard mail gateways nowadays under the most Linux distribution i though that i will a good ways to separate the concerns i.e. certificates on the firewall and services behind them. But i would be glad to try even a script. Can you share your script with me ?

  • @rainbowHash said in HaProxy Postfix ssl offloading:

    where to configure the haproxy backend on Pfsense to enable the send-proxy option

    You can manually write such a option in the advanced server pass-tru options text field. Either per server separately if you edit a server and expand the extra options part of each server. Or in the the box that applies 'to all servers' in that backend.

Log in to reply