HAProxy / Lets Encrypt / Postfix - Dovecot



  • Drawing1.jpg

    Is this configuration possible?

    pfSense / HAProxy will offload the SSL (w/ ACME cert) and forward on to the postfix dovecot server with a self signed certificate. The idea is that ACME will renew the certificates with HAProxy decrypting (using LetsEncrypt Cert) and re-encrypting with the self signed certificate, which will not expire (in a reasonable amount of time) and the data will be encrypted to the back end.

    My assumption is that it's totally possible, but I don't want to go down a rabbit hole to find out its not. If anyone has done this type of configuration, any pointers or things to watch out for?



  • To make this easier to understand.

    Is it for securing the mail protocols (ie IMAPS) or for a webfront on the mailserver?
    I have done the later


  • Rebel Alliance Developer Netgate

    I don't think that's going to work properly. Especially for clients that want to do STARTTLS. HAProxy doesn't know enough about SMTP/POP3/IMAP protocols to actually proxy the protocols, just the TCP/TLS portion.

    So it might work for some cases but I don't think you or your clients would be happy with the limitations.

    Setup your acme client/acme.sh/certbot/whatever on the mail server directly and let it have its own certificate directly. Or setup ACME on pfSense to write the certs out and then have the mail server periodically fetch them from there and reload. Or have a script push them from pfSense to the mail server.



  • I'm using postfix myself on a dedicated server.
    No firewall what so ever that protects the mail ports 25, 465 and 587 - 465 and 587 being used by my mail clients, as 993 SIMAP and 995 SPOP, 110 and 143 are abandoned these days, and not postfix related.
    Even STARTTLS (587) starts to fade out, it's all"465" = SMTPS these days.

    postfix uses the same certs from LetsEnscrypt / acme.sh as the web servers on that server.
    Most mails leave and enter saying " .... Trusted TLS connection established from/to .... " on port 25.

    What I want to say : postfix, IMHO, seems rock solid to me, and can be exposed to the net directly.

    Note : I do have fail23ban scanning my main postfix mail log so it can block the mail-port hammers, and other mail servers that do not support my "minimum mail protocol requirements".

    @jimp said in HAProxy / Lets Encrypt / Postfix - Dovecot:

    Setup your acme client/acme.sh/certbot/whatever on the mail server directly and let it have its own certificate directly. Or setup ACME on pfSense to write the certs out and then have the mail server periodically fetch them from there and reload. Or have a script push them from pfSense to the mail server.

    My acme.sh "deploy.sh" hook script :

    #!/bin/sh
    set -e
    
      check_path="/root/.acme.sh/${Le_Domain}/${Le_Domain}.conf"
      destination="/etc/ssl/"
      destinationdir=${destination}${Le_Domain}
    	if [ -f $check_path ]; then
    		if [ ! -d $destinationdir ]; then
    			mkdir $destinationdir
    		fi
    		cat $CERT_KEY_PATH $CERT_FULLCHAIN_PATH ${destination}dh/RSA4096.pem > ${destinationdir}/${Le_Domain}.pem
    		cp $CERT_KEY_PATH ${destinationdir}/${Le_Domain}.key
    		chmod 400 ${destinationdir}/${Le_Domain}.pem
    		chmod 400 ${destinationdir}/${Le_Domain}.key
    		service apache2 reload >/dev/null
    		service postfix reload >/dev/null
    
    	# courier will also use these certs.
    		service courier-pop-ssl force-reload >/dev/null
    		service courier-imap-ssl force-reload >/dev/null
    
    	# exception - extra treatment :
    		if [ "$Le_Domain" == "yyyy.xxxx-bbbb.org" ]; then
    			service monit reload >/dev/null
    			service webmin restart >/dev/null
    		fi
    
    
    	ACCOUNT_EMAIL=gw.kroeb@gmail.com
    
    	cat <<-EOF | mail -r acme@aaaa-vvvvv.tld -s "Certificates renewed" $ACCOUNT_EMAIL
    
    	Renewed the following certificate(s):
    	Host: $Le_Domain
    
    	$(/root/.acme.sh/acme.sh  --version 2>&1)
    
    	EOF
    	fi
    

    used by acme.sh :

       --deploy-hook                     The hook file to deploy cert
    

    where the hook file is this "deploy.sh"
    For every cert on my server, the using processes are restarted / reloaded.

    edit : note : the acme.sh usage above is not to be confonded with the"acme.sh" version used by the LetEnsrypt package written by Jimp.



  • Thanks for the information. I think I will setup a more conventional method to have the certs on the mail server. Just wanted to see if it was possible and not to go down the rabbit hole and waist lots of hours and head scratching trying to implement something that is not doable.

    RHLinux


Log in to reply