On Wed, Apr 29, 2015 at 9:18 AM, iain <expat.i...@gmail.com> wrote: > On 29/04/15 04:26, Baptiste wrote: > >> Hi, >> You need to enable the check-ssl on the server line. >> In your case haproxy sends a check in clear, while the server expects a >> ciphered connexion. > > That's correct, because I am trying to keep the health checks on the > cleartext TCP/25 port. > > However, I did try your suggestion to kick it down to SSL. I changed the > server lines to: > > ---CUT--->8---CUT--- > server MTA1 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify > none > server MTA2 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify > none > ---CUT--->8---CUT--- > > ...but got the same results, connection fails to establish and as it > terminates, the following appears in the logs: > > ---CUT--->8---CUT--- > Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 > [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 > Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 > [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 > ---CUT--->8---CUT--- > > The MTA's logs contain only the follow repeating entries: > > ---CUT--->8---CUT--- > 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:46670 > I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 1) > 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:60941 > I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 2) > 2015-04-29 09:11:15 SMTP connection from lb2.example.org > [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by > peer) > 2015-04-29 09:11:15 SMTP connection from lb1.example.org > [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by > peer) > ---CUT--->8---CUT--- > > I should perhaps have mentioned that I'm running this on Debian 7 with > HAproxy version 1.5.8. > >
Hi Iain, You were right, sorry, my fault. Could you try a tcpdump when (capturing whole packets) you do the health check on the port 25? What does HAProxy reports in its logs? Baptiste