[Dovecot] Question about dovecot imap proxy
Hi everyone! I have dovecot (1.2.11) on one our external mail servers acting as a proxy. The client (ifor now, my iphone) connects fine via ssl to the external mailserver but I can't seem to get a secure connection now to the internal destination imap server (between external mail server and internal imap server, it's going through port 143). Running tcpdump, I can clearly see my password being transmitted on our internal network. I read the addition to the documentation about dovecot proxy but I'm not sure where to add these variables:
In v1.2.rc4+ the connections to destination server can be TLS/SSL encrypted by returning:
*
ssl=yes: Use SSL and require a valid verified remote certificate.
*WARNING: Unless used carefully, this is an insecure setting!*
Currently host must be an IP address, so this setting accepts any
certificate signed by a trusted CA. The host name isn't checked in
any way against the certificate's CN. The only way to use this
securely is to only use and allow your own private CA's certs,
anything else is exploitable by a man-in-the-middle attack.
* ssl=any-cert: Use SSL, but don't require a valid remote certificate.
* starttls: Use STARTTLS command instead of doing SSL handshake
immediately after connected.Can anyone point me in the right direction? Thanks so much! :)
-- Monika Janek Systems Administrator, Side Effects Software Toronto, Ontario Canada 416-504-9876 x207 www.sidefx.com
On Thu, 2010-04-29 at 11:09 -0400, Monika Janek wrote:
I read the addition to the documentation about dovecot proxy but I'm not sure where to add these variables: .. ssl=yes: Use SSL and require a valid verified remote certificate.
Into your passdb's extra fields. What passdb do you use? http://wiki.dovecot.org/PasswordDatabase/ExtraFields has some examples how to use them.
Hi Timo, Thanks for getting back to me!
Currently I'm using SQL to check the proxy but the authentication gets passed on to the internal mail server where it authenticates with LDAP. This is my SQL query on the external mail host:
password_query = SELECT NULL AS password, host, destuser, 'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u'
I take this as to just check the SQL for the existence of the username then pass the authentication onto the internal server. I tried putting in 'starttls' into the query string but it didn't work. Everything is working but I would just prefer a secure connection for the entire chain. I have my iphone connected via ssl to port 993 on the external mail host but then the proxy (which is now on our internal network) communication with the internal host is not encrypted.
Timo Sirainen wrote:
On Thu, 2010-04-29 at 11:09 -0400, Monika Janek wrote:
I read the addition to the documentation about dovecot proxy but I'm not sure where to add these variables:
..
ssl=yes: Use SSL and require a valid verified remote certificate.Into your passdb's extra fields. What passdb do you use? http://wiki.dovecot.org/PasswordDatabase/ExtraFields has some examples how to use them.
-- Monika Janek Systems Administrator, Side Effects Software Toronto, Ontario Canada 416-504-9876 x207 www.sidefx.com
On Thu, 2010-04-29 at 13:44 -0400, Monika Janek wrote:
password_query = SELECT NULL AS password, host, destuser, 'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u'
I take this as to just check the SQL for the existence of the username then pass the authentication onto the internal server. I tried putting in 'starttls' into the query string but it didn't work.
Looks like the current code is being kind of stupid here. It requires that you do:
'yes' as ssl, 'Y' as starttls
ssl's values can be either "yes" or "any-cert", anything else gets ignored. I changed v2.0 now so that it makes more sense and you could simply do 'y' as starttls.
Hi Timo!
I tried the 'Y' as starttls and I receive this:
imap-login: proxy: Received invalid SSL certificate
And the authentication fails. Could it be because I've signed my own certs?
Whenever I try the 'yes' as ssl in the sql query, I get a syntax error message:
Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy W' at line 1
Thanks for all your help Timo. I'm so close! I've also compiled version 2.0 but I haven't used it yet. I have 1.2.11 installed from the Debian packages.
Timo Sirainen wrote:
On Thu, 2010-04-29 at 13:44 -0400, Monika Janek wrote:
password_query = SELECT NULL AS password, host, destuser, 'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u'
I take this as to just check the SQL for the existence of the username then pass the authentication onto the internal server. I tried putting in 'starttls' into the query string but it didn't work.
Looks like the current code is being kind of stupid here. It requires that you do:
'yes' as ssl, 'Y' as starttls
ssl's values can be either "yes" or "any-cert", anything else gets ignored. I changed v2.0 now so that it makes more sense and you could simply do 'y' as starttls.
-- Monika Janek Systems Administrator, Side Effects Software Toronto, Ontario Canada 416-504-9876 x207 www.sidefx.com
On Thu, 2010-04-29 at 14:43 -0400, Monika Janek wrote:
I tried the 'Y' as starttls and I receive this:
imap-login: proxy: Received invalid SSL certificate
And the authentication fails. Could it be because I've signed my own certs?
Yes. Either put the cert into ssl_ca_file or use 'any-cert' as ssl so it doesn't check it.
Whenever I try the 'yes' as ssl in the sql query, I get a syntax error message:
Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy W' at line 1
Wonder what you tried there..
This was my sql query:
password_query = SELECT NULL AS password, host, destuser, 'yes' AS ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u'
It's obviously something I'm doing! But I'll try the ssl_ca_file route too.
Timo Sirainen wrote:
On Thu, 2010-04-29 at 14:43 -0400, Monika Janek wrote:
I tried the 'Y' as starttls and I receive this:
imap-login: proxy: Received invalid SSL certificate
And the authentication fails. Could it be because I've signed my own certs?
Yes. Either put the cert into ssl_ca_file or use 'any-cert' as ssl so it doesn't check it.
Whenever I try the 'yes' as ssl in the sql query, I get a syntax error message:
Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy W' at line 1
Wonder what you tried there..
-- Monika Janek Systems Administrator, Side Effects Software Toronto, Ontario Canada 416-504-9876 x207 www.sidefx.com
Looks like MySQL treats ssl as a reserved word. Use 'yes' as 'ssl'.
On Thu, 2010-04-29 at 14:51 -0400, Monika Janek wrote:
This was my sql query:
password_query = SELECT NULL AS password, host, destuser, 'yes' AS ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u'
It's obviously something I'm doing! But I'll try the ssl_ca_file route too.
Timo Sirainen wrote:
On Thu, 2010-04-29 at 14:43 -0400, Monika Janek wrote:
I tried the 'Y' as starttls and I receive this:
imap-login: proxy: Received invalid SSL certificate
And the authentication fails. Could it be because I've signed my own certs?
Yes. Either put the cert into ssl_ca_file or use 'any-cert' as ssl so it doesn't check it.
Whenever I try the 'yes' as ssl in the sql query, I get a syntax error message:
Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy W' at line 1
Wonder what you tried there..
Genius! I did the 'any-cert' AS 'ssl' and put the '993' AS port and it worked. I'll do the ssl_ca_file as well. I thought that I had tried the 'yes' as 'ssl' but it works now. Thanks so much for your help Timo. I really appreciate it. :) I love dovecot!
Timo Sirainen wrote:
Looks like MySQL treats ssl as a reserved word. Use 'yes' as 'ssl'.
On Thu, 2010-04-29 at 14:51 -0400, Monika Janek wrote:
This was my sql query:
password_query = SELECT NULL AS password, host, destuser, 'yes' AS ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy WHERE user = '%u'
It's obviously something I'm doing! But I'll try the ssl_ca_file route too.
Timo Sirainen wrote:
On Thu, 2010-04-29 at 14:43 -0400, Monika Janek wrote:
I tried the 'Y' as starttls and I receive this:
imap-login: proxy: Received invalid SSL certificate
And the authentication fails. Could it be because I've signed my own certs?
Yes. Either put the cert into ssl_ca_file or use 'any-cert' as ssl so it doesn't check it.
Whenever I try the 'yes' as ssl in the sql query, I get a syntax error message:
Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ssl,'Y' AS nopassword, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM proxy W' at line 1
Wonder what you tried there..
-- Monika Janek Systems Administrator, Side Effects Software Toronto, Ontario Canada 416-504-9876 x207 www.sidefx.com
participants (2)
-
Monika Janek
-
Timo Sirainen