[Dovecot] MS Exchange IMAP Proxy
I need to make the IMAP interface of an Exchange 2000 server available
on the net, however I would like to give it a little protection, and
believe Dovecot's IMAP proxy might be appropriate.
Does anybody have a *really simple* config that would allow IMAP
pass-through to a single Exchange server?
The examples I've seen all assume some sort of load balancing, which
isn't an issue here, so I'd like to eliminate the need for an
unnecessary database server.
Does Dovecot do any cleanup of the IMAP commands that would be useful
in protecting Exchange (from this,
http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I
barking up the wrong tree?
If Dovecot isn't helpful for this, can anybody point me to a better resource?
Thanks!
Terry
On Wed, 30 Nov 2011 15:36:46 -0500 Terry Carmen articulated:
I need to make the IMAP interface of an Exchange 2000 server available on the net, however I would like to give it a little protection, and believe Dovecot's IMAP proxy might be appropriate.
Does anybody have a *really simple* config that would allow IMAP
pass-through to a single Exchange server?The examples I've seen all assume some sort of load balancing, which
isn't an issue here, so I'd like to eliminate the need for an
unnecessary database server.Does Dovecot do any cleanup of the IMAP commands that would be useful in protecting Exchange (from this,
http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I
barking up the wrong tree?If Dovecot isn't helpful for this, can anybody point me to a better resource?
An Exchange 2000 server is ancient. I wouldn't waste time with it unless there was no possible way to get an updated version; ie, Exchange server 2010.
-- Jerry ✌ Dovecot.user@seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
----- Message from Jerry <dovecot.user@seibercom.net> --------- Date: Wed, 30 Nov 2011 17:14:06 -0500 From: Jerry <dovecot.user@seibercom.net> Reply-To: dovecot@dovecot.org Subject: Re: [Dovecot] MS Exchange IMAP Proxy To: dovecot@dovecot.org
On Wed, 30 Nov 2011 15:36:46 -0500 Terry Carmen articulated:
I need to make the IMAP interface of an Exchange 2000 server available on the net, however I would like to give it a little protection, and believe Dovecot's IMAP proxy might be appropriate.
Does anybody have a *really simple* config that would allow IMAP pass-through to a single Exchange server?
The examples I've seen all assume some sort of load balancing, which isn't an issue here, so I'd like to eliminate the need for an unnecessary database server.
Does Dovecot do any cleanup of the IMAP commands that would be useful in protecting Exchange (from this, http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I barking up the wrong tree?
If Dovecot isn't helpful for this, can anybody point me to a better resource?
An Exchange 2000 server is ancient. I wouldn't waste time with it unless there was no possible way to get an updated version; ie, Exchange server 2010.
The client won't pay for an Exchange update just to support a handful
of external IMAP users.
It works perfectly well internally, using a Postfix relayhost.
Terry
An Exchange 2000 server is ancient. I wouldn't waste time with it unless there was no possible way to get an updated version; ie, Exchange server 2010.
The client won't pay for an Exchange update just to support a handful of external IMAP users.
It works perfectly well internally, using a Postfix relayhost.
Terry
If the client is inept enough to run Exchange 2000 for only a handful of users, you're probably wasting your time attempting to sanitize IMAP commands.
If your contract with them mandates that you secure their server, you'll most likely have to replace their broken software.
If the client is inept enough to run Exchange 2000 for only a
handful of users, you're probably wasting your time attempting to
sanitize IMAP commands.If your contract with them mandates that you secure their server,
you'll most likely have to replace their broken software.
There are over 500 users on the server, however there are only a few
external users.
I'm really not trying to justify a business case here, I'm just trying
to get an IMAP connection.
Terry
On 30.11.2011, at 22.36, Terry Carmen wrote:
Does Dovecot do any cleanup of the IMAP commands that would be useful in protecting Exchange (from this, http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I barking up the wrong tree?
v2.1 with imapc backend can be used to do this. There's not really documentation for it beyond this mailing list though.
----- Message from Timo Sirainen <tss@iki.fi> --------- Date: Thu, 1 Dec 2011 04:47:30 +0200 From: Timo Sirainen <tss@iki.fi> Subject: Re: [Dovecot] MS Exchange IMAP Proxy To: Terry Carmen <terry@cnysupport.com> Cc: dovecot@dovecot.org
On 30.11.2011, at 22.36, Terry Carmen wrote:
Does Dovecot do any cleanup of the IMAP commands that would be
useful in protecting Exchange (from this,
http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I
barking up the wrong tree?v2.1 with imapc backend can be used to do this. There's not really
documentation for it beyond this mailing list though.
I'd be happy to give it a try.
I have an absolutely dead-simple setup. All it has to do is sit
between the internet and the IMAP port on an Exchange server.
Any hints on how to set it up?
Thanks!
Terry
On 1.12.2011, at 6.03, Terry Carmen wrote:
On 30.11.2011, at 22.36, Terry Carmen wrote:
Does Dovecot do any cleanup of the IMAP commands that would be useful in protecting Exchange (from this, http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I barking up the wrong tree?
v2.1 with imapc backend can be used to do this. There's not really documentation for it beyond this mailing list though.
I'd be happy to give it a try.
I have an absolutely dead-simple setup. All it has to do is sit between the internet and the IMAP port on an Exchange server.
Any hints on how to set it up?
Without SSL it works like this:
mail_location = imapc:~/imapc imapc_host = imap.elsewhere.com imapc_port = 143
passdb { driver = imap args = host=imap.elsewhere.com default_fields = userdb_imapc_user=%u userdb_imapc_password=%w } userdb { driver = prefetch } mail_home = /home/tss
And about other IMAP proxies: Before login they provide almost comparable security to Dovecot, the main exception being that Dovecot don't by default allow all characters in username (auth_username_chars setting). Post-login all of the IMAP proxies are equivalent. But imapc backend isn't really a proxy, so it does more:
The imapc mainly gives protection for post-login commands, which the other proxies don't even attempt to sanitize in any way. But you probably trust your authorized users enough that they won't attempt to break into your mail server.. But then again, users might be running viruses and whatever other things that automate breaking into mail server without even knowing about it (but currently that's rather rare I think).
----- Message from Timo Sirainen <tss@iki.fi> --------- Date: Fri, 2 Dec 2011 23:29:23 +0200 From: Timo Sirainen <tss@iki.fi> Subject: Re: [Dovecot] MS Exchange IMAP Proxy To: Terry Carmen <terry@cnysupport.com> Cc: dovecot@dovecot.org
On 1.12.2011, at 6.03, Terry Carmen wrote:
On 30.11.2011, at 22.36, Terry Carmen wrote:
Does Dovecot do any cleanup of the IMAP commands that would be
useful in protecting Exchange (from this,
http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am
I barking up the wrong tree?v2.1 with imapc backend can be used to do this. There's not really
documentation for it beyond this mailing list though.I'd be happy to give it a try.
I have an absolutely dead-simple setup. All it has to do is sit
between the internet and the IMAP port on an Exchange server.Any hints on how to set it up?
Without SSL it works like this:
mail_location = imapc:~/imapc imapc_host = imap.elsewhere.com imapc_port = 143
passdb { driver = imap args = host=imap.elsewhere.com default_fields = userdb_imapc_user=%u userdb_imapc_password=%w } userdb { driver = prefetch } mail_home = /home/tss
My dovecot.conf file contains:
/////////////////////////////////////////
protocols = imap
listen = *, ::
mail_location = imapc:~/imapc imapc_host = exchangeserver.example.com imapc_port = 143
passdb { driver = imap args = host=exchangeserver.example.com default_fields = userdb_imapc_user=%u userdb_imapc_password=%w } userdb { driver = prefetch }
mail_home = /home/tss
!include conf.d/*
/////////////////////////////////////////
Dovecot starts without complaints, but when I try a LOGIN, I get:
dovecot: auth: Fatal: passdb imap: Unknown parameter:
exchangeserver.example.com
in the maillog file.
Any thoughts?
Terry
OK, I'm making headway. it didn't like the config because there were
no quotes around the Exchange server's FQDN, however when I added the
quotes, I got:
Dec 2 18:26:33 host dovecot: auth: Error:
imapc('exchangeserver.example.com':143):
dns_lookup('exchangeserver.example.com') failed: Name or service not
known
The name *does* resolve correctly using the "host" command.
I then replaced the FQDN with the Exchange server's IP address, which
works much better, but now I get:
Dec 2 18:35:09 host dovecot: imap(myusername): Error: user
myusername: Couldn't drop privileges: User is missing UID (see
mail_uid setting)
"myusername" is not a local user, but exists only on the exchange
server. Any thoughts?
Thanks!
Terry
On 3.12.2011, at 1.42, Terry Carmen wrote:
Dec 2 18:35:09 host dovecot: imap(myusername): Error: user myusername: Couldn't drop privileges: User is missing UID (see mail_uid setting)
"myusername" is not a local user, but exists only on the exchange server. Any thoughts?
You still need a mail user. For example you could create a "vmail" user and set mail_uid=vmail. Or whatever else user.
On 3.12.2011, at 1.42, Terry Carmen wrote:
Dec 2 18:35:09 host dovecot: imap(myusername): Error: user
myusername: Couldn't drop privileges: User is missing UID (see
mail_uid setting)"myusername" is not a local user, but exists only on the exchange
server. Any thoughts?You still need a mail user. For example you could create a "vmail"
user and set mail_uid=vmail. Or whatever else user.
Several other configuration problems later . . . I'm getting much
closer, but not quite there.
The latest message is:
dovecot: imap(username): Error: user username: Initialization failed:
Initializing mail storage from mail_location setting failed: Home
directory not set for user. Can't expand ~/ for mail root dir in:
~/imapc
The users who will be using the proxy don't actually have any mail on
the box running dovecot and (currently) don't have any accounts or
home directories. Right now they only exist on the Exchhange server.
Is there a config option I need to create/change so that Dovecot
doesn't look for a directory for each user, or does it till ened one
even though the users aren't local and there won't be a mail store on
the box running dovecot?
Thanks again for all your help!
When I get this all working, I'll write up a Wiki page for it.
Terry
It's working!
I'll post a writeup on the wiki on monday.
The last problem was it seems to need a writable home directory for
mail_home even though all the mail is pass-through.This was included
in Timo's original config, although I had accidentally removed it.
In any case many thanks to Timo and everybody else who helped!
Terry
It's working beautifully!
Is there any way to get it to log failed login attempts with the
user's IP address?
I'd like to setup fail2ban to stop dictionary attacks, however even
with debugging, the most I've been able to get it to say is:
Dec 5 12:11:30 machinename dovecot: auth: Debug: client out:
FAIL#0111#011user=username
Is there any possibility of getting the remote IP in there somewhere,
or is there a different setting specifically to enable logging auth
failures?
Thanks!
On 5.12.2011, at 19.16, Terry Carmen wrote:
It's working beautifully!
Is there any way to get it to log failed login attempts with the user's IP address?
auth_verbose=yes
I'd like to setup fail2ban to stop dictionary attacks, however even with debugging, the most I've been able to get it to say is:
Dec 5 12:11:30 machinename dovecot: auth: Debug: client out: FAIL#0111#011user=username
If you enabled auth_debug, it enabled auth_verbose also.. So you should have those log messages. Maybe they're being logged to a different file?
----- Message from Timo Sirainen <tss@iki.fi> --------- Date: Mon, 5 Dec 2011 21:49:15 +0200 From: Timo Sirainen <tss@iki.fi> Reply-To: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: [Dovecot] MS Exchange IMAP Proxy (Logging Auth Failures?) To: Terry Carmen <terry@cnysupport.com> Cc: dovecot@dovecot.org
On 5.12.2011, at 19.16, Terry Carmen wrote:
It's working beautifully!
Is there any way to get it to log failed login attempts with the
user's IP address?auth_verbose=yes
Got it.
syslog_facility = mail auth_verbose = yes auth_verbose_passwords = plain auth_debug = yes mail_debug = yes
I'm sure they're not all necessary. I was turning on all the logging I
could find. 8-)
The log looks like this:
Dec 5 15:29:49 it dovecot: auth: Debug: auth client connected (pid=12028)
Dec 5 15:30:03 it dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=10.1.2.3#011rip=123.123.123.123#011lport=143#011rport=40816#011resp=<hidden>
Dec 5 15:30:03 it dovecot: auth: Debug:
imap(username,123.123.123.123): lookup host=10.1.16.226 port=143
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143): Looking
up IP address
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143):
Connecting to 10.1.2.3:143
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143): Server
capabilities: IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS
NAMESPACE LITERAL+ UIDPLUS CHILDREN AUTH=NTLM
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143):
Authenticating as username
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.16.226:143): Disconnected
Dec 5 15:30:05 it dovecot: auth: Debug: client out:
FAIL#0111#011user=username
The last line *almost* gets me enough for a fail2ban filter, but not
quite, since there's no IP address.
Is there something else I can turn on?
Thanks,
Terry
"Terry Carmen" <terry@cnysupport.com> wrote on 5.12.2011 22:05:08:
...cut ...
Dec 5 15:30:05 it dovecot: auth: Debug: client out:
FAIL#0111#011user=usernameThe last line *almost* gets me enough for a fail2ban filter, but not
quite, since there's no IP address.Is there something else I can turn on? It's probably dfferent for proxy, but without it and with auth_verbose = yes as suggested by Timo I get
Dec 5 15:02:32 mailstore dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<username>, method=PLAIN, rip=x.x.x.x, lip=y.y.y.y
Regards, M
----- Message from Timo Sirainen <tss@iki.fi> --------- Date: Mon, 5 Dec 2011 23:24:23 +0200 From: Timo Sirainen <tss@iki.fi> Reply-To: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: [Dovecot] MS Exchange IMAP Proxy (Logging Auth Failures?) To: Terry Carmen <terry@cnysupport.com> Cc: dovecot@dovecot.org
On 5.12.2011, at 23.05, Terry Carmen wrote:
The log looks like this: ..
All of the lines are "debug" level. Find the "info" log. "doveadm
log find" usually finds it for you.
[root@server conf.d]# doveadm log find Looking for log files from /var/log Debug: /var/log/maillog Info: /var/log/maillog Warning: /var/log/maillog Error: /var/log/maillog Fatal: /var/log/maillog
The successful logins look good. For example:
Dec 5 17:01:50 it dovecot: imap-login: Login: user=<username>,
method=PLAIN, rip=123.123.123.123, lip=10.1.2.3, mpid=12277, TLS
However there's nothing similar for the failed logins:
Dec 5 17:01:36 it dovecot: auth: Debug: imapc(10.1.2.3:143):
Authenticating as username
Dec 5 17:01:36 it dovecot: auth: Debug: imapc(10.1.2.3:143): Disconnected
Dec 5 17:01:38 it dovecot: auth: Debug: client out:
FAIL#0111#011user=username
Dec 5 17:01:46 it dovecot: auth: Debug: client in:
AUTH#0112#011PLAIN#011service=imap#011secured#011lip=10.1.20.52#011rip=123.123.123.123#011lport=143#011rport=41748#011resp=<hidden>
I checked lib-imap-client/imapc-connection.c and found where the
"Authenticating as" message comes from, but don't see anyplace where the
I believe I found the section of code that does the imapc
authentication, but don't see anyplace where auth failures are logged:
Any thoughts?
Terry
On 6.12.2011, at 0.39, Terry Carmen wrote:
I checked lib-imap-client/imapc-connection.c and found where the "Authenticating as" message comes from, but don't see anyplace where the
I believe I found the section of code that does the imapc authentication, but don't see anyplace where auth failures are logged:
Oh, right, passdb imapc doesn't log about failed authentication. I'll add it tomorrow.
----- Message from Timo Sirainen <tss@iki.fi> --------- Date: Tue, 6 Dec 2011 00:48:02 +0200 From: Timo Sirainen <tss@iki.fi> Subject: Re: [Dovecot] MS Exchange IMAP Proxy (Logging Auth Failures?) To: Terry Carmen <terry@cnysupport.com> Cc: dovecot@dovecot.org
On 6.12.2011, at 0.39, Terry Carmen wrote:
I checked lib-imap-client/imapc-connection.c and found where the
"Authenticating as" message comes from, but don't see anyplace
where theI believe I found the section of code that does the imapc
authentication, but don't see anyplace where auth failures are
logged:Oh, right, passdb imapc doesn't log about failed authentication.
I'll add it tomorrow.
That's awesome!
I really, really appreciate your help.
Terry
On 3.12.2011, at 18.10, Terry Carmen wrote:
I'll post a writeup on the wiki on monday.
I moved it to http://wiki2.dovecot.org/HowTo/ImapcProxy
I'll post a writeup on the wiki on monday.
I moved it to http://wiki2.dovecot.org/HowTo/ImapcProxy
Thanks!
I didn't realize I was in the wrong wiki.
Terry
On 11/30/2011 2:36 PM, Terry Carmen wrote:
I need to make the IMAP interface of an Exchange 2000 server available on the net, however I would like to give it a little protection, and believe Dovecot's IMAP proxy might be appropriate.
Does anybody have a *really simple* config that would allow IMAP pass-through to a single Exchange server?
The examples I've seen all assume some sort of load balancing, which isn't an issue here, so I'd like to eliminate the need for an unnecessary database server.
Does Dovecot do any cleanup of the IMAP commands that would be useful in protecting Exchange (from this, http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I barking up the wrong tree?
If Dovecot isn't helpful for this, can anybody point me to a better resource?
Look into the SM IMAP Proxy. It was designed for a different purpose, but may work well for your scenario:
http://imapproxy.org/index.html
-- Stan
Thanks! I'll take a look.
Terry
----- Message from Stan Hoeppner <stan@hardwarefreak.com> --------- Date: Wed, 30 Nov 2011 22:44:35 -0600 From: Stan Hoeppner <stan@hardwarefreak.com> Reply-To: stan@hardwarefreak.com Subject: Re: [Dovecot] MS Exchange IMAP Proxy To: dovecot@dovecot.org
On 11/30/2011 2:36 PM, Terry Carmen wrote:
I need to make the IMAP interface of an Exchange 2000 server available on the net, however I would like to give it a little protection, and believe Dovecot's IMAP proxy might be appropriate.
Does anybody have a *really simple* config that would allow IMAP pass-through to a single Exchange server?
The examples I've seen all assume some sort of load balancing, which isn't an issue here, so I'd like to eliminate the need for an unnecessary database server.
Does Dovecot do any cleanup of the IMAP commands that would be useful in protecting Exchange (from this, http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I barking up the wrong tree?
If Dovecot isn't helpful for this, can anybody point me to a better resource?
Look into the SM IMAP Proxy. It was designed for a different purpose, but may work well for your scenario:
http://imapproxy.org/index.html
-- Stan
----- End message from Stan Hoeppner <stan@hardwarefreak.com> -----
-- Terry Carmen CNY Support, LLC https://www.cnysupport.com
Terry Carmen <terry@cnysupport.com> (Mi 30 Nov 2011 21:36:46 CET):
useful in protecting Exchange (from this, http://www.cvedetails.com/cve/CVE-2007-0221/ for example), or am I barking up the wrong tree?
If Dovecot isn't helpful for this, can anybody point me to a better resource?
Some time ago wie used "perdition", but I do not know, if it has sanitizing features beyond just being a proxy for the IMAP protocol.
-- Heiko :: dresden : linux : SCHLITTERMANN.de GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B
participants (7)
-
Dovecot-GDH
-
Heiko Schlittermann
-
Jerry
-
Miha Vrhovnik
-
Stan Hoeppner
-
Terry Carmen
-
Timo Sirainen