On 29/04/15 04:26, Baptiste wrote: > Hi, > You need to enable the check-ssl on the server line. > In your case haproxy sends a check in clear, while the server expects a > ciphered connexion.
That's correct, because I am trying to keep the health checks on the cleartext TCP/25 port. However, I did try your suggestion to kick it down to SSL. I changed the server lines to: ---CUT--->8---CUT--- server MTA1 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify none server MTA2 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify none ---CUT--->8---CUT--- ...but got the same results, connection fails to establish and as it terminates, the following appears in the logs: ---CUT--->8---CUT--- Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 ---CUT--->8---CUT--- The MTA's logs contain only the follow repeating entries: ---CUT--->8---CUT--- 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 1) 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 2) 2015-04-29 09:11:15 SMTP connection from lb2.example.org [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by peer) 2015-04-29 09:11:15 SMTP connection from lb1.example.org [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by peer) ---CUT--->8---CUT--- I should perhaps have mentioned that I'm running this on Debian 7 with HAproxy version 1.5.8.