On 05/08/2013 01:57 PM, Ben Morrow wrote: > At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote: >> Hello everyone, >> >> I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to >> fit what I need. > That page is for Dovecot 1.x, which is obsolete. You should be reading > http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy . > >> Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather >> not duplicate the certificates for the IMAP servers. Hence nginx doesn't >> seem to be a good choice either. >> >> I am hoping that since SSL has "Client Hello" which specifies the site >> requested the the following could be done: >> >> Client - > Proxy [SYN] >> Proxy -> Client [SYN, ACK] >> Client -> Proxy [ACK] >> Client -> Proxy [SSL With "Client Hello", having server_name in >> Extension: server_name and sub-fields] > Do you have any evidence that common IMAP clients support sending SNI? > I've just checked, and mutt (for example) appears not to. > >> Proxy sees intended host >> Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] >> Proxy -> Intended Server [Replay SSL/Client Hello] >> Client <-> Proxy <-> Intended Server (Proxy is non decrypting >> Man-in-the-Middle, just acting as a pseudo-invisible relay) >> >> I know that something somewhat like this works because this is how >> Apache can do virtual hosts with SSL. Of course, it acts as the end >> point intended server, not a proxy. I believe it is also somewhat how >> Squid does SSL proxying, although I could be entirely wrong. > More importantly, it only works with clients (browsers) which are new > enough to send SNI. If you use, for instance, any version of IE on > Windows XP, it will not work. > >> Is this possible? Can this be implemented in dovecot? > I don't believe so. > >> If not, does anyone know of such a project. Proxy needs to not have >> any exploitable holes and really only needs to understand enough SSL >> to get the server_name, pass through the connection, replaying Client >> Hello, and then knowing when to shut the connection. >> >> Just as a breif example, the use I have for this now is that I have >> several imap servers which all have IPv6 addresses, but have to share an >> IPv4 address. for SMTP side of things, this works well for all incoming >> email. (As an aside, does anyone know of a similar setup for SSL traffic >> on port 465 SSL for SMTP?) > Similarly, I doubt this is possible for SMTP either, since the clients > probably won't send SNI. > > Ben > > Thank you Ben and Noel for your responses! I know Thunderbird on Linux sends it. Right now my targets would be Thunderbird, K9 Mail and Android Mail on Android, and Apple Mail and whatever the equivalent is on iOS. I will investigate K9 and Android later (as I have access to those). I do not have access to the Apple ones at the moment.
K-9 on my Droid X2 does not support SNI. Trever
