Re: Mail Client --> intermediate host --> stunnel (?) --> imaps server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Matt Morgan writes:



Am I right that stunnel won't work this way? If so, what do I really
want to be doing, in order to get this to work? Squid? Basically, we
just want a way to route the entire IMAPS connection through the
intermediary server on the DMZ.


There are a couple of ways to do that.  First of all, you should be able to
mess around with iptables and get connections to the imaps port on your
so-called “intermediary” server forwarded to your real server.  I don't
have the actual details there, you should be able to dig out the magic
incantations out of iptables' documentation.  In this case your IMAP server
should have an SSL certificate whose CN matches the DNS name of your
intermediary server, because the IMAP clients think that's who they are
connecting to, so the CNs must match, even though the connections get kicked
over.  Also, you might lose some logging on the IMAP server, because it will
not see the connecting client's IP address, it will see all connections as
coming from the intermediary server.

Another way to do this is to install an IMAP proxy on your intermediary
server.  It's going to accept imaps connections (and your SSL cert will be
installed on the intermediary server itself), then turn around and forward
those connections to your real IMAP server.  There's very little benefit in
encrypting the proxied connection of your LAN, so the forwarded connection
can be non-encrypted.


I'll also gladly entertain commentary on this question: is what I'm
trying to do--forwarding traffic through the intermediary
server--actually more secure than just opening IMAPS from the outside
to the inside?


An encrypted IMAP connection is always more “secure” than an unecrypted one.
Whether the connection terminates directly, or you forward it to some other
server, is a secondary issue.

There is certainly a distinct benefit to running a stripped firewall server
on the boundary, which proxies all incoming connections to another server on
a local LAN.  Your IMAP server probably has lots of other stuff running.
It's better to keep it walled off from unwanted outside contact, and have a
bare-bones server doing firewalling duties.  You'll have more control over
what ports the firewall server has open.

Attachment: pgpvzFffRg40w.pgp
Description: PGP signature

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux