At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote:
Hello everyone,
I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to fit what I need.
That page is for Dovecot 1.x, which is obsolete. You should be reading http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .
Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather not duplicate the certificates for the IMAP servers. Hence nginx doesn't seem to be a good choice either.
I am hoping that since SSL has "Client Hello" which specifies the site requested the the following could be done:
Client - > Proxy [SYN] Proxy -> Client [SYN, ACK] Client -> Proxy [ACK] Client -> Proxy [SSL With "Client Hello", having server_name in Extension: server_name and sub-fields]
Do you have any evidence that common IMAP clients support sending SNI? I've just checked, and mutt (for example) appears not to.
Proxy sees intended host Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] Proxy -> Intended Server [Replay SSL/Client Hello]
Client <-> Proxy <-> Intended Server (Proxy is non decrypting Man-in-the-Middle, just acting as a pseudo-invisible relay)
I know that something somewhat like this works because this is how Apache can do virtual hosts with SSL. Of course, it acts as the end point intended server, not a proxy. I believe it is also somewhat how Squid does SSL proxying, although I could be entirely wrong.
More importantly, it only works with clients (browsers) which are new enough to send SNI. If you use, for instance, any version of IE on Windows XP, it will not work.
Is this possible? Can this be implemented in dovecot?
I don't believe so.
If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection.
Just as a breif example, the use I have for this now is that I have several imap servers which all have IPv6 addresses, but have to share an IPv4 address. for SMTP side of things, this works well for all incoming email. (As an aside, does anyone know of a similar setup for SSL traffic on port 465 SSL for SMTP?)
Similarly, I doubt this is possible for SMTP either, since the clients probably won't send SNI.
Ben