👀 What Happened?
Starting with version 13.0.0, when using Proxy Protocol, the certificate of the SMTP server cannot be fetched over SSL (465), but is accessible over StartTLS (587).
Using the exact same configuration without a single change except using the version 12.1.0 solves the issue.
I tried 13.0.0, 13.2.0 and 13.3.0, all have the same issue.
openssl s_client -connect mail.DOMAIN.com:465
# In version 12.1.0 the previous command receives the certificate.
# In version 13.x.0 the previous command throws this error:
CONNECTED(00000003)
20F0869FFFFF0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
no peer certificate available
openssl s_client -connect mail.DOMAIN.com:587 -starttls smtp
# In version 12.1.0 and 13.x.x. the previous command receives the certificate.
Disabling Proxy Protocol solves the issue.
👟 Reproduction Steps
I am not going to post the whole configuration to keep the focus on the proxy protocol and not on the config, as it seems to not be related to the configuration itself, but to the version and proxy protocol. Though if needed I can do post my configuration.
I am configuring proxy protocol as shown in the documentation in Kubernetes page.
Ingress controller config:
25: "mail-server/mailserver:25::PROXY"
143: "mail-server/mailserver:143::PROXY"
465: "mail-server/mailserver:465::PROXY"
587: "mail-server/mailserver:587::PROXY"
993: "mail-server/mailserver:993::PROXY"
4190: "mail-server/mailserver:4190::"
Proxy protocol config in DMS:
##### Proxy protocol #####
postfix-main.cf: |
postscreen_upstream_proxy_protocol = haproxy
postfix-master.cf: |
smtp/inet/postscreen_upstream_proxy_protocol=haproxy
submission/inet/smtpd_upstream_proxy_protocol=haproxy
smtps/inet/smtpd_upstream_proxy_protocol=haproxy
dovecot.cf: |
# Trusts the network of the ingress controller.
haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8
service imap-login {
inet_listener imap {
haproxy = yes
}
inet_listener imaps {
haproxy = yes
}
}
As mentioned, the exact same configuration with exact same ingress configuration (I am using NGINX) for proxy protocol was used for testing, the only thing that changed was the version of DMS.
Is it related to this? #3546
UPDATE
As mentioned above, I tried disabling Proxy Protocol from all DMS services, so just setting the config as if there is no Proxy Protocol, and of course, removed proxy protocol from my ingress Nginx settings. Which worked.
I have just tested removing proxy protocol ONLY from the 465 port (SMTP SSL) ONLY in my Nginx ingress, but I kept Proxy Protocol in DMS configured as shown above, meaning Proxy Protocol was only disabled in my Ingress port 465 in DMS proxy protocol is still configured. This also caused the system to work as expected. I do not understand why. Could someone explain this also please?
🐋 DMS Version
v13.0.0, 13.2.0, 13.3.0
💻 Operating System and Architecture
Ubuntu 22.04, ARM64
👀 What Happened?
Starting with version 13.0.0, when using Proxy Protocol, the certificate of the SMTP server cannot be fetched over SSL (465), but is accessible over StartTLS (587).
Using the exact same configuration without a single change except using the version 12.1.0 solves the issue.
I tried 13.0.0, 13.2.0 and 13.3.0, all have the same issue.
Disabling Proxy Protocol solves the issue.
👟 Reproduction Steps
I am not going to post the whole configuration to keep the focus on the proxy protocol and not on the config, as it seems to not be related to the configuration itself, but to the version and proxy protocol. Though if needed I can do post my configuration.
I am configuring proxy protocol as shown in the documentation in Kubernetes page.
Ingress controller config:
Proxy protocol config in DMS:
As mentioned, the exact same configuration with exact same ingress configuration (I am using NGINX) for proxy protocol was used for testing, the only thing that changed was the version of DMS.
Is it related to this? #3546
UPDATE
As mentioned above, I tried disabling Proxy Protocol from all DMS services, so just setting the config as if there is no Proxy Protocol, and of course, removed proxy protocol from my ingress Nginx settings. Which worked.
I have just tested removing proxy protocol ONLY from the 465 port (SMTP SSL) ONLY in my Nginx ingress, but I kept Proxy Protocol in DMS configured as shown above, meaning Proxy Protocol was only disabled in my Ingress port 465 in DMS proxy protocol is still configured. This also caused the system to work as expected. I do not understand why. Could someone explain this also please?
🐋 DMS Version
v13.0.0, 13.2.0, 13.3.0
💻 Operating System and Architecture
Ubuntu 22.04, ARM64