On 15/04/2023 21:38, Jeremy Harris via Exim-users wrote:
> On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
>>
>> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use):
>>
>> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound
>>
>
> Thinking further, this (HAProxy with Proxy-protocol as a frontend for an
> MTA,
> with the HAProxy routing based on SNI) has additional complications.
> Because
> the ESMTP connection has to (for port 25) negotiate TLS using STARTTLS,
> you're
> asking that HAProxy run that part of the ESMTP protocol, so that it can
> see the
> SNI. It'd have to replay that ESMTP startup down the connection to the
> backend,
> as far as the TLS Client Hello - or be a full ESMTP endpoint. I don't
> know if
> it's that clever.
I think the question has evolved during this thread, and it's become
obvious that HAProxy is not the best way to go about it. I'm not even
sure why I was looking into the whole SNI stuff - as I'm only planning
to use this solution for SMTP (server to server) - not submission SMTP
(client to server). So all outside servers trying to deliver email would
only be connecting to one MX FQDN for multiple recipient domains - the
FQDN of the front-end machine. So in the end SNI shouldn't even come
into it. Sorry for all the confusion.
