[Dovecot] IMAP SSL proxy (questions)
Hello everyone,
I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to fit what I need.
Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather not duplicate the certificates for the IMAP servers. Hence nginx doesn't seem to be a good choice either.
I am hoping that since SSL has "Client Hello" which specifies the site requested the the following could be done:
Client - > Proxy [SYN] Proxy -> Client [SYN, ACK] Client -> Proxy [ACK] Client -> Proxy [SSL With "Client Hello", having server_name in Extension: server_name and sub-fields] Proxy sees intended host Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] Proxy -> Intended Server [Replay SSL/Client Hello] Client <-> Proxy <-> Intended Server (Proxy is non decrypting Man-in-the-Middle, just acting as a pseudo-invisible relay)
I know that something somewhat like this works because this is how Apache can do virtual hosts with SSL. Of course, it acts as the end point intended server, not a proxy. I believe it is also somewhat how Squid does SSL proxying, although I could be entirely wrong.
Is this possible? Can this be implemented in dovecot? If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection.
Just as a breif example, the use I have for this now is that I have several imap servers which all have IPv6 addresses, but have to share an IPv4 address. for SMTP side of things, this works well for all incoming email. (As an aside, does anyone know of a similar setup for SSL traffic on port 465 SSL for SMTP?)
Thank you for any help, Trever
Am 08.05.2013 18:04, schrieb Trever L. Adams:
Is this possible? Can this be implemented in dovecot? If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection
it is a broken idea
IMAP/PO3/SMTP is not a website with different contents you need ONE certificate and ONE server-name and you are done
in case of dovecot as proxy you do not need SSL at all on the backend sevrers if they are not accessed via WAN
At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote:
Hello everyone,
I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to fit what I need.
That page is for Dovecot 1.x, which is obsolete. You should be reading http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .
Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather not duplicate the certificates for the IMAP servers. Hence nginx doesn't seem to be a good choice either.
I am hoping that since SSL has "Client Hello" which specifies the site requested the the following could be done:
Client - > Proxy [SYN] Proxy -> Client [SYN, ACK] Client -> Proxy [ACK] Client -> Proxy [SSL With "Client Hello", having server_name in Extension: server_name and sub-fields]
Do you have any evidence that common IMAP clients support sending SNI? I've just checked, and mutt (for example) appears not to.
Proxy sees intended host Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] Proxy -> Intended Server [Replay SSL/Client Hello]Client <-> Proxy <-> Intended Server (Proxy is non decrypting Man-in-the-Middle, just acting as a pseudo-invisible relay)
I know that something somewhat like this works because this is how Apache can do virtual hosts with SSL. Of course, it acts as the end point intended server, not a proxy. I believe it is also somewhat how Squid does SSL proxying, although I could be entirely wrong.
More importantly, it only works with clients (browsers) which are new enough to send SNI. If you use, for instance, any version of IE on Windows XP, it will not work.
Is this possible? Can this be implemented in dovecot?
I don't believe so.
If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection.
Just as a breif example, the use I have for this now is that I have several imap servers which all have IPv6 addresses, but have to share an IPv4 address. for SMTP side of things, this works well for all incoming email. (As an aside, does anyone know of a similar setup for SSL traffic on port 465 SSL for SMTP?)
Similarly, I doubt this is possible for SMTP either, since the clients probably won't send SNI.
Ben
On Wed, 2013-05-08 at 20:57 +0100, Ben Morrow wrote:
More importantly, it only works with clients (browsers) which are new enough to send SNI. If you use, for instance, any version of IE on Windows XP, it will not work.
Even old linux clients since 2006 (oldest copies of galeon and epiphany I have access to) have been SNI capable (even lynx) - M$ don't care and will not fix it, preferring you pay them hundreds of dollars and buy win7/8 instead.
On 05/08/2013 01:57 PM, Ben Morrow wrote:
At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote:
Hello everyone,
I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to fit what I need. That page is for Dovecot 1.x, which is obsolete. You should be reading http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .
Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather not duplicate the certificates for the IMAP servers. Hence nginx doesn't seem to be a good choice either.
I am hoping that since SSL has "Client Hello" which specifies the site requested the the following could be done:
Client - > Proxy [SYN] Proxy -> Client [SYN, ACK] Client -> Proxy [ACK] Client -> Proxy [SSL With "Client Hello", having server_name in Extension: server_name and sub-fields] Do you have any evidence that common IMAP clients support sending SNI? I've just checked, and mutt (for example) appears not to.
Proxy sees intended host Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] Proxy -> Intended Server [Replay SSL/Client Hello]Client <-> Proxy <-> Intended Server (Proxy is non decrypting Man-in-the-Middle, just acting as a pseudo-invisible relay)
I know that something somewhat like this works because this is how Apache can do virtual hosts with SSL. Of course, it acts as the end point intended server, not a proxy. I believe it is also somewhat how Squid does SSL proxying, although I could be entirely wrong.
More importantly, it only works with clients (browsers) which are new enough to send SNI. If you use, for instance, any version of IE on Windows XP, it will not work.
Is this possible? Can this be implemented in dovecot? I don't believe so.
If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection.
Just as a breif example, the use I have for this now is that I have several imap servers which all have IPv6 addresses, but have to share an IPv4 address. for SMTP side of things, this works well for all incoming email. (As an aside, does anyone know of a similar setup for SSL traffic on port 465 SSL for SMTP?) Similarly, I doubt this is possible for SMTP either, since the clients probably won't send SNI.
Ben
Thank you Ben and Noel for your responses! I know Thunderbird on Linux sends it. Right now my targets would be Thunderbird, K9 Mail and Android Mail on Android, and Apple Mail and whatever the equivalent is on iOS. I will investigate K9 and Android later (as I have access to those). I do not have access to the Apple ones at the moment.
K-9 on my Droid X2 does not support SNI.
Trever
On 9.5.2013, at 15.04, Trever L. Adams trever@middleearth.sapphiresunday.org wrote:
Thank you Ben and Noel for your responses! I know Thunderbird on Linux sends it. Right now my targets would be Thunderbird, K9 Mail and Android Mail on Android, and Apple Mail and whatever the equivalent is on iOS. I will investigate K9 and Android later (as I have access to those). I do not have access to the Apple ones at the moment.
It would be useful to track these. I started a wiki page, everyone please update: http://wiki2.dovecot.org/SSL/SNIClientSupport
participants (5)
-
Ben Morrow
-
Noel Butler
-
Reindl Harald
-
Timo Sirainen
-
Trever L. Adams