Hi everyone!
I have dovecot (1.2.11) on one our external mail servers acting as a
proxy. The client (ifor now, my iphone) connects fine via ssl to the
external mailserver but I can't seem to get a secure connection now to
the internal destination imap server (between external mail server and
internal imap server, it's going through port 143). Running tcpdump, I
can clearly see my password being transmitted on our internal network. I
read the addition to the documentation about dovecot proxy but I'm not
sure where to add these variables:
In v1.2.rc4+ the connections to destination server can be TLS/SSL
encrypted by returning:
*
ssl=yes: Use SSL and require a valid verified remote certificate.
*WARNING: Unless used carefully, this is an insecure setting!*
Currently host must be an IP address, so this setting accepts any
certificate signed by a trusted CA. The host name isn't checked in
any way against the certificate's CN. The only way to use this
securely is to only use and allow your own private CA's certs,
anything else is exploitable by a man-in-the-middle attack.
* ssl=any-cert: Use SSL, but don't require a valid remote certificate.
* starttls: Use STARTTLS command instead of doing SSL handshake
immediately after connected.
Can anyone point me in the right direction? Thanks so much! :)
--
Monika Janek
Systems Administrator, Side Effects Software
Toronto, Ontario Canada
416-504-9876 x207 www.sidefx.com
On Thu, 2010-04-29 at 11:09 -0400, Monika Janek wrote:> I > read the addition to the documentation about dovecot proxy but I'm not > sure where to add these variables:..> ssl=yes: Use SSL and require a valid verified remote certificate.Into your passdb's extra fields. What passdb do you use? http://wiki.dovecot.org/PasswordDatabase/ExtraFields has some examples how to use them. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20100429/05b91f1f/attachment-0002.bin>
Hi Timo, Thanks for getting back to me! Currently I'm using SQL to check the proxy but the authentication gets passed on to the internal mail server where it authenticates with LDAP. This is my SQL query on the external mail host: password_query = SELECT NULL AS password, host, destuser, 'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u' I take this as to just check the SQL for the existence of the username then pass the authentication onto the internal server. I tried putting in 'starttls' into the query string but it didn't work. Everything is working but I would just prefer a secure connection for the entire chain. I have my iphone connected via ssl to port 993 on the external mail host but then the proxy (which is now on our internal network) communication with the internal host is not encrypted. Timo Sirainen wrote:> On Thu, 2010-04-29 at 11:09 -0400, Monika Janek wrote: > > >> I >> read the addition to the documentation about dovecot proxy but I'm not >> sure where to add these variables: >> > .. > >> ssl=yes: Use SSL and require a valid verified remote certificate. >> > > Into your passdb's extra fields. What passdb do you use? > http://wiki.dovecot.org/PasswordDatabase/ExtraFields has some examples > how to use them. > >-- Monika Janek Systems Administrator, Side Effects Software Toronto, Ontario Canada 416-504-9876 x207 www.sidefx.com