1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
First, if you're using imapproxy with SSL, you have Ken Murchison to thank
for that. He added this feature.
imapproxy only supports TLS between the proxy server and the real IMAP
server. It does not support TLS between a client (usually webmail) and the
proxy server. The idea here is that you can run the IMAP proxy on the same
machine as your webserver. If you're using TLS to your webserver, the
webserver can then send plaintext auth to the proxy without the password ever
crossing the network, then the proxy can use TLS to the IMAP server.
The proxy will only use TLS if the real IMAP server forces it to do so by
advertising LOGINDISABLED in the capability string unless force_tls is
enabled in the configuration file.
imapproxy does not support the deprecated notion of imaps using port 993. It
only supports the use of the STARTTLS command to initiate SSL/TLS from within
a regular IMAP connection (do NOT set the "server_port" setting in
imapproxy.conf to 993!). However, keep reading...
If you are trying to proxy to an IMAP server that is only available using
imaps/port 993 (e.g., Gmail), you can setup a SSL tunnel (check out stunnel)
to that server and let imapproxy talk to the local (plaintext) end of that
tunnel (in which case, no SSL setup is required for imapproxy).
Here are the options related to SSL configuration:
tls_ca_file Path to CA file
tls_ca_path Path to CA directory
tls_cert_file Path to client certificate file
tls_key_file Path to client private key
tls_verify_server Enforce server certificate validation (default is false)
tls_ciphers Specify cipher suite as documented in openssl_ciphers(1)
tls_no_tlsv1 Disable TLSv1.0 (default is false)
tls_no_tlsv1.1 Disable TLSv1.1 (default is false)
tls_no_tlsv1.2 Disable TLSv1.2 (default is false)
force_tls Force TLS usage (default is false)
I haven't had time to write my own ssl tuturial (and I might never) but you
can find a wealth of information here:
http://www.sendmail.org/~ca/email/starttls.html
Steve Lidie from lehigh.edu contributed the following information
that should help you along, also:
The only change I found necessary was in the OpenSSL configuration file:
# diff openssl.cnf~ openssl.cnf
37c37
< dir = ./demoCA # Where everything is kept
---
> dir = . # Where everything is kept
Copied here vebatim, are the required steps:
To make certificate authority:
mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /usr/local/openssl/openssl.cnf.sample openssl.cnf
vi openssl.cnf (set values)
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
To make a new certificate:
cd CA (same directory created above)
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf
Certificate and private key in file newreq.pem.
To sign new certificate with certificate authority:
cd CA (same directory created above)
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
rm -f tmp.pem
newcert.pem contains the signed certificate, newreq.pem still
contains the unsigned certificate and private key.
The resulting imapproxy.config lines then look like this:
tls_ca_path /usr/local/etc/CA/
tls_ca_file /usr/local/etc/CA/cacert.pem
tls_cert_file /usr/local/etc/CA/newcert.pem
tls_key_file /usr/local/etc/CA/newreq.pem
|
