0

I use HAProxy as mail frontend (IMAPS) in SSL termination mode (mail clients configured to imap server 192.168.88.2 (haproxy host)).

Config:

frontend ft_imaps
    mode tcp
    bind 192.168.88.2:993 ssl crt /etc/pki/tls/certs/cert.pem
    default_backend bk_imaps2
    log global
    timeout client 1m
    option tcplog

backend bk_imaps
      mode tcp
      log global
      option tcplog
      timeout server 1m
      timeout connect 30s
      server SRV1 192.168.2.30:993 check maxconn 20 ssl verify none

All ok if all virtual domains served by server 192.168.2.30. But if I want route mail traffic to virtual domain 'domain1.local' to 192.168.2.30 and 'domain2.local' - to another (for example, 10.10.100.4), how can I filter this on HAProxy?

As for me, it is impossible, because HAProxy can't analize to which virtual domain every email. On configuration.txt: mode tcp is for SSL, SSH, SMTP. And in tcp mode "no layer 7 examination will be performed". So, SMTP headers is not accessed in tcp mode.

So, if I need use one point for mail traffic, I can try acl based on src (client ip address) or make several frontends (:1994 -> 192.168.2.31, :1995 -> 10.10.100.4) and setup client mail software?

'mode http' is not suitable for this?

Marvin
  • 61
  • 1
  • 3
  • 6
  • Does this answer your question? [haproxy multihost with ssl acl](https://serverfault.com/questions/561479/haproxy-multihost-with-ssl-acl) – Gerald Schneider May 15 '20 at 09:35
  • The upvoted post (not the accepted one) shows how to handle multiple backends with SSL for different domains. However, it uses SNI, which is AFAIK not implemented in the SMTP protocol. I don't think this is possible with the SMTP protocol due to this, but I'm not an expert in this area and could be wrong. – Gerald Schneider May 15 '20 at 09:37
  • Interesting idea about SNI! – Marvin May 15 '20 at 10:03
  • If email client configured to HAProxy address (and only login point to email domain), SNI will not work, because domain (which will see SNI) is HAProxy address? – Marvin May 15 '20 at 10:20
  • In order to use SNI, HAProxy shoud receive mail traffic, but thi traffic should be addressed not for HAProxy host, but for certain services "behind" HAProxy? https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ – Marvin May 15 '20 at 10:23

0 Answers0