0

Sadly, I have spent all weekend on this and I'm hopping someone can tell me if what I want to do is even possible or a good idea.

I am trying to use an AWS Classic Load Balancer to terminate SSL before forwarding the decrypted TCP traffic to my EC2 Instance that has postfix and dovecot installed and configured for IMAP and SMTP.

I know Proxy Protocol will help forward along the original ip address and port, but how will postfix/dovecot know when the connection was an SSL one?

What about STARTLS, can that be configured to work with a load balancer?

My understanding is that the load balancer ports can either accept TCP or SSL, but not be configured for both.

Thank you for your help.

user2959602
  • 33
  • 5
  • Any interface supporting the Proxy protocol must only accept connections supporting the Proxy protocol. The Proxy protocol forwards a tuple about the connection protocol, source address and port, and target address and port (the outside target interface on the balancer). *That* is how the inner service knows which outside port accepted the connection, and thus whether TLS was used. Is there a reason you're not doing the TLS on the servers? – Michael - sqlbot Aug 28 '17 at 03:25
  • Hi Michael, thanks for the help. My reason for not doing the TLS on the servers is to take advantage of the free security certificates AWS users can generate for their load balancer. – user2959602 Aug 28 '17 at 15:24
  • did you ever figured this out? I am in same situation but not on aws – user969068 Jun 23 '20 at 08:09
  • Unfortunately, no I didn't. I ended up just purchasing a cert from a CA and installing it locally. Wish I could be of more help. Good luck. – user2959602 Jun 25 '20 at 14:04

0 Answers0