On 7/5/05, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > Matt Morgan writes: > > > > Am I right that stunnel won't work this way? If so, what do I really > > want to be doing, in order to get this to work? Squid? Basically, we > > just want a way to route the entire IMAPS connection through the > > intermediary server on the DMZ. > > There are a couple of ways to do that. First of all, you should be able to > mess around with iptables and get connections to the imaps port on your > so-called "intermediary" server forwarded to your real server. I don't > have the actual details there, you should be able to dig out the magic > incantations out of iptables' documentation. In this case your IMAP server > should have an SSL certificate whose CN matches the DNS name of your > intermediary server, because the IMAP clients think that's who they are > connecting to, so the CNs must match, even though the connections get kicked > over. Also, you might lose some logging on the IMAP server, because it will > not see the connecting client's IP address, it will see all connections as > coming from the intermediary server. > > Another way to do this is to install an IMAP proxy on your intermediary > server. It's going to accept imaps connections (and your SSL cert will be > installed on the intermediary server itself), then turn around and forward > those connections to your real IMAP server. There's very little benefit in > encrypting the proxied connection of your LAN, so the forwarded connection > can be non-encrypted. Thanks! This sounds like the way we'd want to do it. Is IMAP proxying something Courier can do, or is an IMAP proxy something different? [snipped remainder]