Good day Guys
I was hoping I can pick you brain and ask for your help.
If any can help and share pointers, it would gratefully be appreciated.
Where I work, we just inherited a series of third party out going spam
servers.
For various reason, we need to loadbalance but more importantly direct
traffic for when we need to perform maintenance on these servers.
What we decided so use and do is put haproxy in front.
The intended topology is:
[clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers]
On odd occasion we see the following error message(s) on the clients
MTAs. And the mail just sits in the queue. When we revert back, it all
flows.
---------------------------------------------
TLS error on connection (recv): The TLS connection was non-properly
terminated.
Remote host closed connection in response to end of data.
---------------------------------------------
We cant figure it out, and why.
What we think is happening is. There is a cert miss match. And as a
result Exim just refuses to send or accept the mail.
Here is a snippet of when I run exim4 -d -M ID of a mail in the queue on
the client MTA.
gnutls_handshake was successful
TLS certificate verification failed (certificate invalid):
peerdn="CN=antispam6-REMOVED"
TLS verify failure overridden (host in tls_try_verify_hosts)
5:02
Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096)
LOG: MAIN
H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The
TLS connection was non-properly terminated.
SMTP(closed)<<
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is
not NULL
tls_close(): shutting down TLS
SMTP(close)>>
LOG: MAIN
One of the things we were thinking is, is that name of the LB is not in
the SAN cert of the out going spam server.
The other thing we realized is, we do not do / use SSL termination on
the haproxy. Do we need to do that?
We are not an experts on TLS and crypto protocols.
If anyone can help. It would be great.
Kindest regards and many thanks.
Brent Clark
