SMTP error : TLS error on connection (recv): The TLS connection was non-properly terminated. due to haproxy in the middle
Good day Guys I was hoping I can pick you brain and ask for your help. If any can help and share pointers, it would gratefully be appreciated. Where I work, we just inherited a series of third party out going spam servers. For various reason, we need to loadbalance but more importantly direct traffic for when we need to perform maintenance on these servers. What we decided so use and do is put haproxy in front. The intended topology is: [clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers] On odd occasion we see the following error message(s) on the clients MTAs. And the mail just sits in the queue. When we revert back, it all flows. - TLS error on connection (recv): The TLS connection was non-properly terminated. Remote host closed connection in response to end of data. - We cant figure it out, and why. What we think is happening is. There is a cert miss match. And as a result Exim just refuses to send or accept the mail. Here is a snippet of when I run exim4 -d -M ID of a mail in the queue on the client MTA. gnutls_handshake was successful TLS certificate verification failed (certificate invalid): peerdn="CN=antispam6-REMOVED" TLS verify failure overridden (host in tls_try_verify_hosts) 5:02 Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096) LOG: MAIN H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The TLS connection was non-properly terminated. SMTP(closed)<< ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL tls_close(): shutting down TLS SMTP(close)>> LOG: MAIN One of the things we were thinking is, is that name of the LB is not in the SAN cert of the out going spam server. The other thing we realized is, we do not do / use SSL termination on the haproxy. Do we need to do that? We are not an experts on TLS and crypto protocols. If anyone can help. It would be great. Kindest regards and many thanks. Brent Clark
Re: Haproxy loadbalancing out going mail to Antispam servers
Hi Guys Just to add. Im using Debian package version. I.e. HA-Proxy version 1.7.5-2 Regards Brent On 2020/01/22 17:18, Brent Clark wrote: Good day Guys We have a project where we are trying to load balance to our outbound Spamexperts Antispam relays / servers. We hit a snag where our clients servers are getting 'Too many concurrent SMTP connections from this IP address'. As a result the mail queue is building up on the servers. After reverting our change, the problem went away. Our setup is: (CLIENT SERVERS INDC) ---> 587 (HAPROXY) ---> (ANTISPAM) ---> (INTERNET) While I am performance tuning and repoking under the hood etc, could I ask if someone could please peer review my config / setup. https://pastebin.com/raw/3D8frtzw If someone from the community can help, it would be appreciated. Many thanks Regards Brent Clark
Haproxy loadbalancing out going mail to Antispam servers
Good day Guys We have a project where we are trying to load balance to our outbound Spamexperts Antispam relays / servers. We hit a snag where our clients servers are getting 'Too many concurrent SMTP connections from this IP address'. As a result the mail queue is building up on the servers. After reverting our change, the problem went away. Our setup is: (CLIENT SERVERS INDC) ---> 587 (HAPROXY) ---> (ANTISPAM) ---> (INTERNET) While I am performance tuning and repoking under the hood etc, could I ask if someone could please peer review my config / setup. https://pastebin.com/raw/3D8frtzw If someone from the community can help, it would be appreciated. Many thanks Regards Brent Clark
Redirect / reroute SMTP and IMAP
Good day Guys We have an interesting problem to solve. We make use of an auto mail configuration for our clients ... mail client, and we use Haproxy to loadbalance and HA our cluster of IMAP and SMTP servers. We are intending to build another solution, but in another geographic location / datacentre. I would like to ask, can haproxy do a TCP (Imap and Smtp) redirection based on a lookup table. So we can migrate certain customers to the new location. I was looking at https://www.haproxy.com/documentation/aloha/9-5/traffic-management/lb-layer4/layer4-source-nat/ But I cant find any example out there in the wild. Many thanks Regards Brent Clark
Haproxy infront of exim cluster - SMTP protocol synchronization error
Good day Guys I am busy building a mail gateway for the corp I work for, but with haproxy in front of the MTAs (TLS). The problem we are experiencing is, we are getting the following error message: 2019-05-22 12:23:15 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=smtpgatewayserver [IP_OF_LB_SERVER] input="PROXY TCP4 $MY_IP $IP_OF_LB_SERVER 39156 587\r\n" We use Exim and I set: hostlist haproxy_hosts = IP.OF.LB My haproxy config: https://pastebin.com/raw/JYAXkAq4 If I run openssl s_client -host smtpgatewayserver -port 587 -starttls smtp -crlf openssl says connected, but SSL-Session is empty. I would like to say, if I change 'send-proxy' to 'check', the everything works, BUT the IP logged by Exim, is that of the LB, and not the client. If anyone could please review the haproxy config / my setup, it would be appreciated. Many thanks Brent Clark
Re: srv_is_up : unable to find server.
Thanks for replying Im trying to get haproxy to monitor redis-sentinel / redis and see which one redis instance is the master so that traffic is sent there. As originally, per this example https://www.haproxy.com/blog/haproxy-advanced-redis-health-check/ (See the comment January 7, 2018 at 6:52) Regards Brent On 05/06/2018 13:43, Lukas Tribus wrote: On 5 June 2018 at 13:18, Brent Clark wrote: Good day Guys I am at a total loss, and Im hoping someone on this list, would be so kind to review my setup. I am trying to get haproxy to monitor redis / sentinel. But I keep getting. [WARNING] 155/110602 (309) : config : log format ignored for frontend 'ft_redis' since it has no log address. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:29] : unable to find server '10.42.131.120' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:30] : unable to find server '10.42.40.236' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:31] : unable to find server '10.42.224.133' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : Fatal errors found in configuration. What I cant understand is, I changed to ips as opposed to hostnames. But haproxy still cant see the peer. Here is my configuration file. https://pastebin.com/raw/DGTsNRDs If someone can assist it would be appreciated. I don't understand what it is you are trying to achieve, none of what you configured makes sense to me. Can you elaborate what you expect haproxy to do and why you need all those backends and use-server directives? Regards, Lukas
Re: srv_is_up : unable to find server.
Thanks Jerome I just see this setup goes in line with that you are saying. https://yemaosheng.com/2016/04/haproxy-cfg-for-redis-sentinel/ Thanks so much for replying. Regards Brent On 05/06/2018 13:49, Jerome Magnin wrote: Hi Brent, On Tue, Jun 05, 2018 at 01:18:36PM +0200, Brent Clark wrote: Good day Guys I am at a total loss, and Im hoping someone on this list, would be so kind to review my setup. I am trying to get haproxy to monitor redis / sentinel. But I keep getting. [WARNING] 155/110602 (309) : config : log format ignored for frontend 'ft_redis' since it has no log address. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:29] : unable to find server '10.42.131.120' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:30] : unable to find server '10.42.40.236' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:31] : unable to find server '10.42.224.133' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : Fatal errors found in configuration. What I cant understand is, I changed to ips as opposed to hostnames. But haproxy still cant see the peer. Here is my configuration file. https://pastebin.com/raw/DGTsNRDs If someone can assist it would be appreciated. srv_is_up takes an optionnal backend name and a mandatory server name as argument. server name is the second argument on a server line, it does not have to be a (resolvable) fqdn. example: use-server redis-server-0 if { srv_is_up(10.42.131.120/sentinel0) } ... I'm not sure I understand what you want to do, though.
srv_is_up : unable to find server.
Good day Guys I am at a total loss, and Im hoping someone on this list, would be so kind to review my setup. I am trying to get haproxy to monitor redis / sentinel. But I keep getting. [WARNING] 155/110602 (309) : config : log format ignored for frontend 'ft_redis' since it has no log address. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:29] : unable to find server '10.42.131.120' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:30] : unable to find server '10.42.40.236' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : parsing [/usr/local/etc/haproxy/haproxy.cfg:31] : unable to find server '10.42.224.133' in proxy 'bk_redis', referenced in arg 1 of ACL keyword 'srv_is_up' in proxy 'bk_redis'. [ALERT] 155/110602 (309) : Fatal errors found in configuration. What I cant understand is, I changed to ips as opposed to hostnames. But haproxy still cant see the peer. Here is my configuration file. https://pastebin.com/raw/DGTsNRDs If someone can assist it would be appreciated. Kind Regards Brent Clark
haproxy SSL support?
Hiya Out of interest. Is there any plans to include SSL support, directly into haproxy (out the box. i.e. not having to patch stunnel and direct traffic to haproxy). Kind Regards Brent Clark