Mail Client --> intermediate host --> stunnel (?) --> imaps server
Sam Varshavchik
mrsam at courier-mta.com
Tue Jul 5 20:03:31 UTC 2005
Matt Morgan writes:
> Am I right that stunnel won't work this way? If so, what do I really
> want to be doing, in order to get this to work? Squid? Basically, we
> just want a way to route the entire IMAPS connection through the
> intermediary server on the DMZ.
There are a couple of ways to do that. First of all, you should be able to
mess around with iptables and get connections to the imaps port on your
so-called “intermediary” server forwarded to your real server. I don't
have the actual details there, you should be able to dig out the magic
incantations out of iptables' documentation. In this case your IMAP server
should have an SSL certificate whose CN matches the DNS name of your
intermediary server, because the IMAP clients think that's who they are
connecting to, so the CNs must match, even though the connections get kicked
over. Also, you might lose some logging on the IMAP server, because it will
not see the connecting client's IP address, it will see all connections as
coming from the intermediary server.
Another way to do this is to install an IMAP proxy on your intermediary
server. It's going to accept imaps connections (and your SSL cert will be
installed on the intermediary server itself), then turn around and forward
those connections to your real IMAP server. There's very little benefit in
encrypting the proxied connection of your LAN, so the forwarded connection
can be non-encrypted.
> I'll also gladly entertain commentary on this question: is what I'm
> trying to do--forwarding traffic through the intermediary
> server--actually more secure than just opening IMAPS from the outside
> to the inside?
An encrypted IMAP connection is always more “secure” than an unecrypted one.
Whether the connection terminates directly, or you forward it to some other
server, is a secondary issue.
There is certainly a distinct benefit to running a stripped firewall server
on the boundary, which proxies all incoming connections to another server on
a local LAN. Your IMAP server probably has lots of other stuff running.
It's better to keep it walled off from unwanted outside contact, and have a
bare-bones server doing firewalling duties. You'll have more control over
what ports the firewall server has open.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050705/f19893f9/attachment-0001.sig>
More information about the fedora-list
mailing list