[Dovecot] IMAP SSL proxy (questions)

Ben Morrow ben at morrow.me.uk
Wed May 8 22:57:33 EEST 2013 

At 10AM -0600 on  8/05/13 you (Trever L. Adams) wrote:
> Hello everyone,
> 
> I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to
> fit what I need.

That page is for Dovecot 1.x, which is obsolete. You should be reading
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .

> Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather
> not duplicate the certificates for the IMAP servers. Hence nginx doesn't
> seem to be a good choice either.
> 
> I am hoping that since SSL has "Client Hello" which specifies the site
> requested the the following could be done:
> 
> Client - > Proxy [SYN]
> Proxy -> Client [SYN, ACK]
> Client -> Proxy [ACK]
> Client -> Proxy [SSL With "Client Hello", having server_name in
> Extension: server_name and sub-fields]

Do you have any evidence that common IMAP clients support sending SNI?
I've just checked, and mutt (for example) appears not to.

>               Proxy sees intended host
>               Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence]
>               Proxy -> Intended Server [Replay SSL/Client Hello]
> Client <-> Proxy <-> Intended Server (Proxy is non decrypting
> Man-in-the-Middle, just acting as a pseudo-invisible relay)
> 
> I know that something somewhat like this works because this is how
> Apache can do virtual hosts with SSL. Of course, it acts as the end
> point intended server, not a proxy. I believe it is also somewhat how
> Squid does SSL proxying, although I could be entirely wrong.

More importantly, it only works with clients (browsers) which are new
enough to send SNI. If you use, for instance, any version of IE on
Windows XP, it will not work.

> Is this possible? Can this be implemented in dovecot?

I don't believe so. 

> If not, does anyone know of such a project. Proxy needs to not have
> any exploitable holes and really only needs to understand enough SSL
> to get the server_name, pass through the connection, replaying Client
> Hello, and then knowing when to shut the connection.
> 
> Just as a breif example, the use I have for this now is that I have
> several imap servers which all have IPv6 addresses, but have to share an
> IPv4 address. for SMTP side of things, this works well for all incoming
> email. (As an aside, does anyone know of a similar setup for SSL traffic
> on port 465 SSL for SMTP?)

Similarly, I doubt this is possible for SMTP either, since the clients
probably won't send SNI.

Ben

More information about the dovecot mailing list