Subject

I would like some feedback concerning a use case
I have questions about TLS/SSL/STARTTLS/OpenSSL
Other

Description

I've deployed Docker Mailserver on Kubernetes by following the recommendations in the docs. This Mailserver is behind an Nginx ingress controller by using the proxy protocol.

This all works well, until trying to send mail from within the cluster's network, which doesn't go through the ingress controller.

When I try to send mail from another pod/container on the network (through an ExternalName) it will fail for any protocol used (smtp:25, smtps:465/587) by logging the following to the Mailserver logs:

smtp:25 postfix/postscreen[142071]: warning: haproxy read: time limit exceeded
-- OR --
smtp:465

postfix/smtps/smtpd[147024]: warning: haproxy read: timeout error
postfix/smtps/smtpd[147024]: connect from 10-1-39-118.some-svc.some-svc.svc.cluster.local[10.1.39.118]
postfix/smtps/smtpd[147024]: disconnect from 10-1-39-118.some-svc.some-svc.svc.cluster.local[10.1.39.118] commands=0/0

Question

The question here is: How would one configure the mailserver to accept mail from the cluster's network without (I suppose) trying to terminate the proxy protocol?

Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: config
  namespace: mailserver
data:
  postfix-master.cf: |
    submission/inet/smtpd_upstream_proxy_protocol = haproxy
    smtps/inet/smtpd_upstream_proxy_protocol = haproxy

  postfix-main.cf: |
    mydestination = localhost.$mydomain, localhost
    postscreen_upstream_proxy_protocol = haproxy

  dovecot.cf: |
    # The following line should include the internal pod's network CIDR and localhost address
    haproxy_trusted_networks = 10.1.0.0/16, 127.0.0.0/8
    service imap-login {
      inet_listener imaps {
        haproxy = yes
      }
    }

  TrustedHosts: |
    127.0.0.1
    localhost