TLS Handshake Error with PMG Cluster

[torbho]

Hi everyone,

I've set up a Proxmox Mail Gateway (PMG) cluster with two nodes (PMG1 and PMG2). Load balancing is handled via OPNsense using round-robin.

The issue I'm facing is that when an external mail server connects to PMG2, I get a TLS handshake error. Connections to PMG1 work fine.

My suspicion is that the error is caused by PMG2 presenting a TLS certificate that doesn't match the expected hostname, since each PMG node has a different hostname.

Has anyone encountered this before, or does anyone have advice on how to handle TLS properly in this kind of load-balanced cluster setup?

Thanks in advance!

 

[Stoiko Ivanov]

please share the logs of your PMG2 (after restarting postfix) when the error occurs - this might help to find the issue.

 

[torbho]

Thank you @Stoiko Ivanov

Here is the Log-Entry.

The connection to PMG1 works fine.

 

[Stoiko Ivanov]

If possible please share the complete logs as text (either attached or in a code-block) - it makes looking through them much faster/more comfortable.

not sure if the screenshot captures everything - or if smtpd had an error regarding TLS configuration before - but the only thing that we see here is that the remote server simply did not continue with the transaction after STARTTLS - the reasons for this can be many - and you'd need to ask the mail-admin of that system, what their log says. - sometimes it's a content inpecting firewall that drops connections it cannot look into, sometimes it's some form of misconfiguration.

I hope this helps!