[Dovecot] securing dovecot proxy connections
The wiki <http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy> page says this: "The connections created to the destination server can't be TLS/SSL encrypted.".
Hrmm. Right now, with perdition, I'm forcing the use of STARTTLS on the internal connections. I'd just as soon get rid of perdition (to have one less moving part in my architecture), but I need the secure connections.
Is there a way to configure dovecot's internal proxy connections to use STARTTLS or some other SSL/TLS level of security? (Without a bunch more research, I don't know what the interaction is between the real client, the dovecot proxy, and the destination server.)
bill-dovecot@carpenter.ORG (WJCarpenter) PGP 0x91865119 38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3
WJCarpenter wrote:
The wiki <http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy> page says this: "The connections created to the destination server can't be TLS/SSL encrypted.".
Hrmm. Right now, with perdition, I'm forcing the use of STARTTLS on the internal connections. I'd just as soon get rid of perdition (to have one less moving part in my architecture), but I need the secure connections.
Is there a way to configure dovecot's internal proxy connections to use STARTTLS or some other SSL/TLS level of security? (Without a bunch more research, I don't know what the interaction is between the real client, the dovecot proxy, and the destination server.)
Just create encrypted tunnel between the peers and send your traffic through it. IPSec, ssh etc..
wjc> Is there a way to configure dovecot's internal proxy connections wjc> to use STARTTLS or some other SSL/TLS level of security? wjc> (Without a
mmj> Just create encrypted tunnel between the peers and send your mmj> traffic through it. IPSec, ssh etc..
Thanks for the suggestion. I had thought of that, but all my front-end servers are also back-end servers. (I'm just letting the users come in on any server -- usually the correct one -- and want to transparently connect them to the correct back-end if they happen to come into the wrong server.) So, even with just 5 servers, that's 20 tunnels to keep afloat through reboots, etc. In principle no problem, but it's a lot of balls in the air.
WJCarpenter wrote:
wjc> Is there a way to configure dovecot's internal proxy connections wjc> to use STARTTLS or some other SSL/TLS level of security? wjc> (Without a
mmj> Just create encrypted tunnel between the peers and send your mmj> traffic through it. IPSec, ssh etc..
Thanks for the suggestion. I had thought of that, but all my front-end servers are also back-end servers. (I'm just letting the users come in on any server -- usually the correct one -- and want to transparently connect them to the correct back-end if they happen to come into the wrong server.) So, even with just 5 servers, that's 20 tunnels to keep afloat through reboots, etc. In principle no problem, but it's a lot of balls in the air.
In that case you could add VLAN trunks between them to separate connections from the rest of the network. You would tunnel your server traffic in VLANs and noone would be able to sniff it. This is probably the quickest and most robust way to do this on a LAN not involving any security protocols.
Marcin.
WJCarpenter wrote:
The wiki <http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy> page says this: "The connections created to the destination server can't be TLS/SSL encrypted.".
Hrmm. Right now, with perdition, I'm forcing the use of STARTTLS on the internal connections. I'd just as soon get rid of perdition (to have one less moving part in my architecture), but I need the secure connections.
Is there a way to configure dovecot's internal proxy connections to use STARTTLS or some other SSL/TLS level of security? (Without a bunch more research, I don't know what the interaction is between the real client, the dovecot proxy, and the destination server.)
per another current thread (o/s tuning for imap), I've installed imapproxy, and it supports starttls to the backend imap server. It doesn't use encryption on the incoming connections though, since they are presumably from localhost (squirrelmail). Ken
-- Ken Anderson Pacific.Net
ka> per another current thread (o/s tuning for imap), I've installed ka> imapproxy, and it supports starttls to the backend imap server. It ka> doesn't use encryption on the incoming connections though, since ka> they are presumably from localhost (squirrelmail). Ken
That's an interesting thought. Have you actually gotten its STARTTLS to work? I tried it a couple days ago with no luck, but maybe I just didn't try hard enough.
bill-dovecot@carpenter.ORG (WJCarpenter) PGP 0x91865119 38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3
WJCarpenter wrote:
ka> per another current thread (o/s tuning for imap), I've installed ka> imapproxy, and it supports starttls to the backend imap server. It ka> doesn't use encryption on the incoming connections though, since ka> they are presumably from localhost (squirrelmail). Ken
That's an interesting thought. Have you actually gotten its STARTTLS to work? I tried it a couple days ago with no luck, but maybe I just didn't try hard enough.
I had a bit of trouble with it as well. I set it to connect to the dovecot on 993 and listen on 143 locally. That had an odd effect. It connected to dovecot, but failed to LISTEN locally, and nothing was logged about this failure! After trying various other things, I changed the settings to 143 for both and it worked. Then I set "force tls = yes", pointed the config options at the bottom of the config file to valid cert,ca,key, etc.. and yes, it works great. tcpdump verifies that it's using TLS now.
Ken
-- Ken Anderson Pacific.Net
participants (4)
-
bill-dovecot@carpenter.ORG
-
Ken A
-
Marcin Michal Jessa
-
WJCarpenter