HaProxy Postfix ssl offloading
rainbowHash last edited by rainbowHash
Hello PfSense gurus i would like to ask the following question since after search the forum for around 2 hours i was not able to find an aswer to this:
I am trying to run postfix/dovecot in a VM behind pfSense with HA Proxy.
The reason i want to do that is because i would like PfSense to handle all certificates that are issued from LetsEncript.
So far HAProxy is doing ssl offloading for http and https traffic and that works really well. I would like to do the same for postfix and dovecot.
i.e. i would like to offload port 465 and 993 to go directly to 25 and 143 correspondingly
However the first thing i bumped into is on the PfSense side i needed to change the mode from http to tcp according to this page
now If i change the mode trough
Services -> HAProxy -> Frontend myforntend -> Edit HAProxy Frontend > type
it says ssl/https(TCP mode) but it does not says offloading
Does that mean that it will not offload the tls ? I guess it does do offloading since when i try to connect i.e. i get the letsencript certificate but i immediatelly get closed.
openssl s_client -connect mail.myDomain.com:465 .... --- closed
I did enabled the option i.e. in the postfix main.cf the entry
postscreen_upstream_proxy_protocol = haproxy
but i do not know where to configure the haproxy backend on Pfsense to enable the send-proxy option i.e. it should look like that for example
backend bk_postfix mode tcp log global option tcplog timeout server 1m timeout connect 5s server postfix 127.0.0.1:10024 send-proxy
but currently on the firewall i see
if i do on the firewall
backend SMTPServer_ipvANY mode tcp id 102 log global timeout connect 30000 timeout server 30000 retries 3 option smtpchk HELO server mail.myDomain.com 192.168.11.1:25 id 103 check inter 1000 frontend smtp.mail.myDomain.com.465 bind MY_PUBLIC_IP_HERE:465 name MY_PUBLIC_IP_HERE:465 ssl crt-list /var/etc/haproxy/smtp.mail.myDomain.com.465.crt_list mode tcp log global timeout client 30000 acl ACL465 src MY_PUBLIC_IP_HERE use_backend SMTPServer_ipvANY if ACL465
Where can i enable that "send-proxy" option in the PfSense GUI. Is there any documentation about this somewhere how this can be properly configured?
Many thanks in advanced
Gertjan last edited by
Not a solution but a proposition :
postfix is just happy with the acme (Letenscrypt) certs that pfSense can generates - my mail server uses acme and postfix to handle all the SSL stuff (pop / imap included using "courier" ).
Why not copying (scripting :) )the cert to the postfix machine - and use a more classic postfix setup ?
NAT ports 25 - 465 - 587 through pfSense to the postfix machine and your done.
rainbowHash last edited by
many thanks for the reply. I do understand what you are saying and this might work but the first problem i have is that i do not have such script and since http ofloading is working jut great i was thing that this might be a good idea to try the same with postfix. I then found that the proxy protocol is even implemented for dovecot and since those are defacto the standard mail gateways nowadays under the most Linux distribution i though that i will a good ways to separate the concerns i.e. certificates on the firewall and services behind them. But i would be glad to try even a script. Can you share your script with me ?
PiBa last edited by
where to configure the haproxy backend on Pfsense to enable the send-proxy option
You can manually write such a option in the advanced server pass-tru options text field. Either per server separately if you edit a server and expand the extra options part of each server. Or in the the box that applies 'to all servers' in that backend.