[Dovecot] IMAP SSL proxy (questions)
Trever L. Adams
trever at middleearth.sapphiresunday.org
Thu May 9 15:04:56 EEST 2013
On 05/08/2013 01:57 PM, Ben Morrow wrote:
> At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote:
>> Hello everyone,
>>
>> I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to
>> fit what I need.
> That page is for Dovecot 1.x, which is obsolete. You should be reading
> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .
>
>> Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather
>> not duplicate the certificates for the IMAP servers. Hence nginx doesn't
>> seem to be a good choice either.
>>
>> I am hoping that since SSL has "Client Hello" which specifies the site
>> requested the the following could be done:
>>
>> Client - > Proxy [SYN]
>> Proxy -> Client [SYN, ACK]
>> Client -> Proxy [ACK]
>> Client -> Proxy [SSL With "Client Hello", having server_name in
>> Extension: server_name and sub-fields]
> Do you have any evidence that common IMAP clients support sending SNI?
> I've just checked, and mutt (for example) appears not to.
>
>> Proxy sees intended host
>> Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence]
>> Proxy -> Intended Server [Replay SSL/Client Hello]
>> Client <-> Proxy <-> Intended Server (Proxy is non decrypting
>> Man-in-the-Middle, just acting as a pseudo-invisible relay)
>>
>> I know that something somewhat like this works because this is how
>> Apache can do virtual hosts with SSL. Of course, it acts as the end
>> point intended server, not a proxy. I believe it is also somewhat how
>> Squid does SSL proxying, although I could be entirely wrong.
> More importantly, it only works with clients (browsers) which are new
> enough to send SNI. If you use, for instance, any version of IE on
> Windows XP, it will not work.
>
>> Is this possible? Can this be implemented in dovecot?
> I don't believe so.
>
>> If not, does anyone know of such a project. Proxy needs to not have
>> any exploitable holes and really only needs to understand enough SSL
>> to get the server_name, pass through the connection, replaying Client
>> Hello, and then knowing when to shut the connection.
>>
>> Just as a breif example, the use I have for this now is that I have
>> several imap servers which all have IPv6 addresses, but have to share an
>> IPv4 address. for SMTP side of things, this works well for all incoming
>> email. (As an aside, does anyone know of a similar setup for SSL traffic
>> on port 465 SSL for SMTP?)
> Similarly, I doubt this is possible for SMTP either, since the clients
> probably won't send SNI.
>
> Ben
>
>
Thank you Ben and Noel for your responses! I know Thunderbird on Linux
sends it. Right now my targets would be Thunderbird, K9 Mail and Android
Mail on Android, and Apple Mail and whatever the equivalent is on iOS. I
will investigate K9 and Android later (as I have access to those). I do
not have access to the Apple ones at the moment.
K-9 on my Droid X2 does not support SNI.
Trever
More information about the dovecot
mailing list