[Dovecot] IMAP SSL proxy (questions)

Trever L. Adams trever at middleearth.sapphiresunday.org
Wed May 8 19:04:45 EEST 2013


Hello everyone,

I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to
fit what I need.

Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather
not duplicate the certificates for the IMAP servers. Hence nginx doesn't
seem to be a good choice either.

I am hoping that since SSL has "Client Hello" which specifies the site
requested the the following could be done:

Client - > Proxy [SYN]
Proxy -> Client [SYN, ACK]
Client -> Proxy [ACK]
Client -> Proxy [SSL With "Client Hello", having server_name in
Extension: server_name and sub-fields]
              Proxy sees intended host
              Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence]
              Proxy -> Intended Server [Replay SSL/Client Hello]
Client <-> Proxy <-> Intended Server (Proxy is non decrypting
Man-in-the-Middle, just acting as a pseudo-invisible relay)

I know that something somewhat like this works because this is how
Apache can do virtual hosts with SSL. Of course, it acts as the end
point intended server, not a proxy. I believe it is also somewhat how
Squid does SSL proxying, although I could be entirely wrong.

Is this possible? Can this be implemented in dovecot? If not, does
anyone know of such a project. Proxy needs to not have any exploitable
holes and really only needs to understand enough SSL to get the
server_name, pass through the connection, replaying Client Hello, and
then knowing when to shut the connection.

Just as a breif example, the use I have for this now is that I have
several imap servers which all have IPv6 addresses, but have to share an
IPv4 address. for SMTP side of things, this works well for all incoming
email. (As an aside, does anyone know of a similar setup for SSL traffic
on port 465 SSL for SMTP?)

Thank you for any help,
Trever


More information about the dovecot mailing list