Matt Morgan writes:
Am I right that stunnel won't work this way? If so, what do I really want to be doing, in order to get this to work? Squid? Basically, we just want a way to route the entire IMAPS connection through the intermediary server on the DMZ.
There are a couple of ways to do that. First of all, you should be able to mess around with iptables and get connections to the imaps port on your so-called “intermediary” server forwarded to your real server. I don't have the actual details there, you should be able to dig out the magic incantations out of iptables' documentation. In this case your IMAP server should have an SSL certificate whose CN matches the DNS name of your intermediary server, because the IMAP clients think that's who they are connecting to, so the CNs must match, even though the connections get kicked over. Also, you might lose some logging on the IMAP server, because it will not see the connecting client's IP address, it will see all connections as coming from the intermediary server. Another way to do this is to install an IMAP proxy on your intermediary server. It's going to accept imaps connections (and your SSL cert will be installed on the intermediary server itself), then turn around and forward those connections to your real IMAP server. There's very little benefit in encrypting the proxied connection of your LAN, so the forwarded connection can be non-encrypted.
I'll also gladly entertain commentary on this question: is what I'm trying to do--forwarding traffic through the intermediary server--actually more secure than just opening IMAPS from the outside to the inside?
An encrypted IMAP connection is always more “secure” than an unecrypted one. Whether the connection terminates directly, or you forward it to some other server, is a secondary issue. There is certainly a distinct benefit to running a stripped firewall server on the boundary, which proxies all incoming connections to another server on a local LAN. Your IMAP server probably has lots of other stuff running. It's better to keep it walled off from unwanted outside contact, and have a bare-bones server doing firewalling duties. You'll have more control over what ports the firewall server has open.
Attachment:
pgpvzFffRg40w.pgp
Description: PGP signature