Hello everyone, I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to fit what I need. Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather not duplicate the certificates for the IMAP servers. Hence nginx doesn't seem to be a good choice either. I am hoping that since SSL has "Client Hello" which specifies the site requested the the following could be done: Client - > Proxy [SYN] Proxy -> Client [SYN, ACK] Client -> Proxy [ACK] Client -> Proxy [SSL With "Client Hello", having server_name in Extension: server_name and sub-fields] Proxy sees intended host Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] Proxy -> Intended Server [Replay SSL/Client Hello] Client <-> Proxy <-> Intended Server (Proxy is non decrypting Man-in-the-Middle, just acting as a pseudo-invisible relay) I know that something somewhat like this works because this is how Apache can do virtual hosts with SSL. Of course, it acts as the end point intended server, not a proxy. I believe it is also somewhat how Squid does SSL proxying, although I could be entirely wrong. Is this possible? Can this be implemented in dovecot? If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection. Just as a breif example, the use I have for this now is that I have several imap servers which all have IPv6 addresses, but have to share an IPv4 address. for SMTP side of things, this works well for all incoming email. (As an aside, does anyone know of a similar setup for SSL traffic on port 465 SSL for SMTP?) Thank you for any help, Trever
Am 08.05.2013 18:04, schrieb Trever L. Adams:> Is this possible? Can this be implemented in dovecot? If not, does > anyone know of such a project. Proxy needs to not have any exploitable > holes and really only needs to understand enough SSL to get the > server_name, pass through the connection, replaying Client Hello, and > then knowing when to shut the connectionit is a broken idea IMAP/PO3/SMTP is not a website with different contents you need ONE certificate and ONE server-name and you are done in case of dovecot as proxy you do not need SSL at all on the backend sevrers if they are not accessed via WAN -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 263 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20130508/a5cdd7da/attachment.bin>
At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote:> Hello everyone, > > I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to > fit what I need.That page is for Dovecot 1.x, which is obsolete. You should be reading http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .> Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather > not duplicate the certificates for the IMAP servers. Hence nginx doesn't > seem to be a good choice either. > > I am hoping that since SSL has "Client Hello" which specifies the site > requested the the following could be done: > > Client - > Proxy [SYN] > Proxy -> Client [SYN, ACK] > Client -> Proxy [ACK] > Client -> Proxy [SSL With "Client Hello", having server_name in > Extension: server_name and sub-fields]Do you have any evidence that common IMAP clients support sending SNI? I've just checked, and mutt (for example) appears not to.> Proxy sees intended host > Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] > Proxy -> Intended Server [Replay SSL/Client Hello] > Client <-> Proxy <-> Intended Server (Proxy is non decrypting > Man-in-the-Middle, just acting as a pseudo-invisible relay) > > I know that something somewhat like this works because this is how > Apache can do virtual hosts with SSL. Of course, it acts as the end > point intended server, not a proxy. I believe it is also somewhat how > Squid does SSL proxying, although I could be entirely wrong.More importantly, it only works with clients (browsers) which are new enough to send SNI. If you use, for instance, any version of IE on Windows XP, it will not work.> Is this possible? Can this be implemented in dovecot?I don't believe so.> If not, does anyone know of such a project. Proxy needs to not have > any exploitable holes and really only needs to understand enough SSL > to get the server_name, pass through the connection, replaying Client > Hello, and then knowing when to shut the connection. > > Just as a breif example, the use I have for this now is that I have > several imap servers which all have IPv6 addresses, but have to share an > IPv4 address. for SMTP side of things, this works well for all incoming > email. (As an aside, does anyone know of a similar setup for SSL traffic > on port 465 SSL for SMTP?)Similarly, I doubt this is possible for SMTP either, since the clients probably won't send SNI. Ben