Anyone used pfsense with haproxy to do SSL offloading.
I am setting up a SMTP relay server and want to use HAProxy to do the SSL Offloading.
I can get HAProxy to say the back end is good, but can’t get anything to actually go through and nothing is showing up in the HAproxy logs in pfsense.
A packet capture didn’t show anything that stood out.
Testing using a direct connection to the server works but gives a certificate error.
Testing using Outlook but eventually will be used for printers and other network notifications including pfsense.
Also tested HAProxy with a web interface on the back end and saw a few timeouts.
I am not sure if this is a good idea. As far as I know HAProxy is not really suitable for proxying protocols like SMTP. I would install the certificates directly on the mail server and forward the appropriate ports. Postfix and other MTAs are products made to be directly exposed to the internet. Imho there is no need to overcomplicate things and put them behind a proxy.
See also this thread in the Netgate forum on the subject:
I am already using acme to generate a wildcard cert on pfsense & The system I’m using for SMTP relay doesn’t support DNS authentication for let’s encrypt & I don’t want to open unencrypted ports.
Any alternatives?.
I could look into a new SMTP relay server but this was easy and I haven’t dug into options on that too much.