Re: SMTPS and L7 health-checks
On 29/04/15 04:26, Baptiste wrote: Hi, You need to enable the check-ssl on the server line. In your case haproxy sends a check in clear, while the server expects a ciphered connexion. That's correct, because I am trying to keep the health checks on the cleartext TCP/25 port. However, I did try your suggestion to kick it down to SSL. I changed the server lines to: ---CUT---8---CUT--- server MTA1 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify none server MTA2 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify none ---CUT---8---CUT--- ...but got the same results, connection fails to establish and as it terminates, the following appears in the logs: ---CUT---8---CUT--- Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 ---CUT---8---CUT--- The MTA's logs contain only the follow repeating entries: ---CUT---8---CUT--- 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 1) 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 2) 2015-04-29 09:11:15 SMTP connection from lb2.example.org [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by peer) 2015-04-29 09:11:15 SMTP connection from lb1.example.org [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by peer) ---CUT---8---CUT--- I should perhaps have mentioned that I'm running this on Debian 7 with HAproxy version 1.5.8.
Re: SMTPS and L7 health-checks
On Wed, Apr 29, 2015 at 9:18 AM, iain expat.i...@gmail.com wrote: On 29/04/15 04:26, Baptiste wrote: Hi, You need to enable the check-ssl on the server line. In your case haproxy sends a check in clear, while the server expects a ciphered connexion. That's correct, because I am trying to keep the health checks on the cleartext TCP/25 port. However, I did try your suggestion to kick it down to SSL. I changed the server lines to: ---CUT---8---CUT--- server MTA1 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify none server MTA2 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify none ---CUT---8---CUT--- ...but got the same results, connection fails to establish and as it terminates, the following appears in the logs: ---CUT---8---CUT--- Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 ---CUT---8---CUT--- The MTA's logs contain only the follow repeating entries: ---CUT---8---CUT--- 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 1) 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 2) 2015-04-29 09:11:15 SMTP connection from lb2.example.org [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by peer) 2015-04-29 09:11:15 SMTP connection from lb1.example.org [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by peer) ---CUT---8---CUT--- I should perhaps have mentioned that I'm running this on Debian 7 with HAproxy version 1.5.8. Hi Iain, You were right, sorry, my fault. Could you try a tcpdump when (capturing whole packets) you do the health check on the port 25? What does HAProxy reports in its logs? Baptiste
SMTPS and L7 health-checks
I have a working configuration for a couple of MTAs listening on TCP/25. The layer 7 health checks work just fine with: ---CUT---8---CUT--- listen MTA bind xx.xx.xx.xx:25 bind XX:XX:XX:XX:::25 mode tcp option tcpka option tcplog option smtpchk HELO lb1.example.org no option http-server-close log global balance leastconn server MTA1 xx.xx.xx.xx:25 check-send-proxy send-proxy check server MTA2 xx.xx.xx.xx:25 check-send-proxy send-proxy check ---CUT---8---CUT--- In addition to this, I also have the same servers listening on TCP/465 for SSL authenticated connections, with layer 7 health checks being performed on the TCP/25 port: ---CUT---8---CUT--- listen MTASSL bind xx.xx.xx.xx:465 bind XX:XX:XX:XX::XX:465 mode tcp option tcpka option tcplog option smtpchk HELO lb1.net.tain.com no option http-server-close log global balance leastconn server MTA1 xx.xx.xx.xx:465 port 25 check-send-proxy send-proxy check server MTA2 xx.xx.xx.xx:465 port 25 check-send-proxy send-proxy check ---CUT---8---CUT--- The problem I am finding is that connections on the SSL side do not cleanly complete. Can someone show me exactly where I am making an error in here?
Re: SMTPS and L7 health-checks
Le 28 avr. 2015 06:25, iain expat.i...@gmail.com a écrit : I have a working configuration for a couple of MTAs listening on TCP/25. The layer 7 health checks work just fine with: ---CUT---8---CUT--- listen MTA bind xx.xx.xx.xx:25 bind XX:XX:XX:XX:::25 mode tcp option tcpka option tcplog option smtpchk HELO lb1.example.org no option http-server-close log global balance leastconn server MTA1 xx.xx.xx.xx:25 check-send-proxy send-proxy check server MTA2 xx.xx.xx.xx:25 check-send-proxy send-proxy check ---CUT---8---CUT--- In addition to this, I also have the same servers listening on TCP/465 for SSL authenticated connections, with layer 7 health checks being performed on the TCP/25 port: ---CUT---8---CUT--- listen MTASSL bind xx.xx.xx.xx:465 bind XX:XX:XX:XX::XX:465 mode tcp option tcpka option tcplog option smtpchk HELO lb1.net.tain.com no option http-server-close log global balance leastconn server MTA1 xx.xx.xx.xx:465 port 25 check-send-proxy send-proxy check server MTA2 xx.xx.xx.xx:465 port 25 check-send-proxy send-proxy check ---CUT---8---CUT--- The problem I am finding is that connections on the SSL side do not cleanly complete. Can someone show me exactly where I am making an error in here? Hi, You need to enable the check-ssl on the server line. In your case haproxy sends a check in clear, while the server expects a ciphered connexion. Baptiste