Per-domain routing for smtp_bridge (and maybe smtp_proxy)

[t3hmrman]

Is your feature request related to a problem? Please describe.
I'm trying to get a setup working that looks like this:

flowchart LR;
  sender--internet-->border_smtp
  subgraph k8s
  border_smtp--intranet-->upstream_smtp
  end
  upstream_smtp---internet--->recipient

Loading

In this case the border SMTP server is Haraka but the upstream SMTP server is Maddy.

Port 465 works great with SNI for directing connections directly to the upstream, but in the case of STARTTLS variants (25,143,587) a protocol-aware (intercepting) proxy is necessary.

I'd like to avoid having Haraka hold all TLS details or upstream servers (I do realize that's the quickest way to solve being able to send mail via the external domain, Haraka would just send the outgoing mail itself).

So this means that I would like to handle the problem before MAIL FROM or queuing time (which rules out smtp_forward and smtp_proxy, if I understand correctly).

Describe the solution you'd like
It looks like smtp_bridge can be modified to solve my problem, as it simply bridges the connection upstream, but right now it only seems to bridge to one other SMTP server for every incoming connection.

I think the solution is to:

• Add code to smtp_bridge to choose configuration based on MAIL FROM address (similar to smtp_forward)
• Add code to smtp_bridge to forward based on the per-domain configuration

While I'm here I'd like to change smtp_proxy as well so it can be per-domain as well.

I'm willing to write this PR if the over approach is sound!

Describe alternatives you've considered
I've tried to use smtp_forward/smtp_proxy and they seem to require that Haraka terminates the STARTTLS connection.

These could work, but require Haraka to hold all relevant credentials for upstream SMTP servers (and all checks/logic in upstream servers copied into Haraka).

Additional context
I know there are at least a couple ways of hacking my way to a solution:

• Extending Haraka to more dynamically retrieve TLS certificates (in my case I'm running in a Kubernetes cluster), and sending email through Haraka.
• Loading all relevant TLS certificates and using smtp_forward which already supports per-domain settings.

Would love to hear feedback on those thoughts or any alternatives I have missed.

Also another thing I'd like to hear about is how I can avoid putting SMTP auth credentials directly in the config -- is there a way to load secrets from files or anything more dynamic?