https://bugs.exim.org/show_bug.cgi?id=2018
--- Comment #4 from Nenad Opsenica <nenad@???> ---
Just to describe my setup:
* haproxy to do "ssl passthrough" (i.e. running in TCP mode without SSL/TLS
offloading) from clients to imap and smtp/submission servers
* dovecot configuration, that uses this kind of setup works perfectly with
both StartTLS IMAP (port 143) and IMAPS (port 993).
Relevant configuration parts for TLS-on-connect case (port 993/imaps)
HAproxy:
listen imap
bind :993
mode tcp
option tcplog
stick-table type ip size 200k expire 30m
stick on src
server mail2 mail2.local.net:10993 check-send-proxy send-proxy-v2
Dovecot:
inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}
Similar setup with HAproxy and Exim for TLS-on-connect case (port 465) does not
work:
HAproxy:
listen smtp
bind :465
mode tcp
option tcplog
stick-table type ip size 200k expire 30m
stick on src
server mail2 mail2.local.net:465 check-send-proxy send-proxy-v2
Exim configuration:
hosts_proxy = IP_address_of_HAproxy_server
Exim is patched with fix for proxy-v2 from
https://bugs.exim.org/show_bug.cgi?id=2003
When I changed function smtp_start_session() in smtp_in.c, to call
check_proxy_protocol_host() first, and then tls_server_start(), proxied session
was successfully detected (debug information showed IP address of end client),
but unfortunatelly TLS session was not started; obviously this can't be fixed
that 'easy' way.
But, it shows that HAproxy, when used with "TLS/SSL passthrough" mode prepends
unencrypted proxy header.
--
You are receiving this mail because:
You are on the CC list for the bug.
