[Cialug] E-mail proxy needed?

Daniel A. Ramaley daniel.ramaley at drake.edu
Thu Oct 26 21:46:35 UTC 2017 

I have an odd e-mail problem. At work i use these e-mail servers:
	smtp.drake.edu
	pop.drake.edu
	imap.drake.edu

We outsourced e-mail to MS Office 365 awhile back, so each of those are
CNAMEs for Microsoft's pool of servers. My e-mail client, Thunderbird,
doesn't like the SSL certificates because it is configured with
*.drake.edu names but those resolve to *.office365.com names and
certificates. But that's no problem, i can just add an exception as a
one-time operation since i know the situation is OK.

The problem is that Microsoft seems to make some sort of change to their
SSL certificate every few months. But they don't change the entire pool
in an atomic operation; it can take a week or three. So the certificate
that i had told Thunderbird to accept changes, so i have to re-accept
it. But the next time i check my mail and Thunderbird talks to a
different pool member, it sees the old certificate. So i have to accept
that one again (Thunderbird seems to only like 1 exception per name?).
The result is that many times per day i have to deal with the dialog to
accept the certificate. For testing purposes i tried configuring
Thunderbird to go to the IP of one of the servers that the CNAME
resolves to, but even that doesn't work (maybe those public IPs are
actually load balancers that go to the pool of actual servers?).

Any ideas how to work around this?

I'm thinking if i could set up a proxy for the protocols i use, and if
that proxy doesn't care about the certificates, that that would work.
Basically, run a local proxy and it would strip out the SSL for me so
Thunderbird never sees the server certificate. If anyone has a better
idea, that'd be great though since i realize this idea has some minor
security implications; i'd be ignoring the certificates. But that is not
*really* much of a difference; the security dialog pops up so often now
that i'm accustomed to just doing the clicks to make it go away as
quickly as possible without actually reading it. If this is really the
best/only idea, any suggestions on what SMTP and POP3 proxies i should
look at? I've set up HTTP and FTP proxies before, but not SMTP and POP3.

I did look a bit for Thunderbird plugins to work around the issue, but
came up empty.

__
Daniel Ramaley | Server Engineer 2
Information Technology Services | Drake University
T: +1-515-271-4540
W: http://its.drake.edu/

More information about the Cialug mailing list