[Cialug] E-mail proxy needed?

Guy Helmer ghelmer at palisadesystems.com
Thu Oct 26 22:13:14 UTC 2017 

Hi, Daniel,

stunnel can be setup to proxy pop3 and smtp protocols, among others, using the “protocol=“ configuration. You could probably set it up to be relatively secure by expecting office365 domain names in the server certificates, and validate the certs using a CApath setting to the /etc/ssl/certs/ dir.
 I’m not sure how conveniently stunnel can be setup for long-term use, though.

Guy

> On Oct 26, 2017, at 4:46 PM, Daniel A. Ramaley <daniel.ramaley at drake.edu> wrote:
> 
> I have an odd e-mail problem. At work i use these e-mail servers:
> 	smtp.drake.edu
> 	pop.drake.edu
> 	imap.drake.edu
> 
> We outsourced e-mail to MS Office 365 awhile back, so each of those are
> CNAMEs for Microsoft's pool of servers. My e-mail client, Thunderbird,
> doesn't like the SSL certificates because it is configured with
> *.drake.edu names but those resolve to *.office365.com names and
> certificates. But that's no problem, i can just add an exception as a
> one-time operation since i know the situation is OK.
> 
> The problem is that Microsoft seems to make some sort of change to their
> SSL certificate every few months. But they don't change the entire pool
> in an atomic operation; it can take a week or three. So the certificate
> that i had told Thunderbird to accept changes, so i have to re-accept
> it. But the next time i check my mail and Thunderbird talks to a
> different pool member, it sees the old certificate. So i have to accept
> that one again (Thunderbird seems to only like 1 exception per name?).
> The result is that many times per day i have to deal with the dialog to
> accept the certificate. For testing purposes i tried configuring
> Thunderbird to go to the IP of one of the servers that the CNAME
> resolves to, but even that doesn't work (maybe those public IPs are
> actually load balancers that go to the pool of actual servers?).
> 
> Any ideas how to work around this?
> 
> I'm thinking if i could set up a proxy for the protocols i use, and if
> that proxy doesn't care about the certificates, that that would work.
> Basically, run a local proxy and it would strip out the SSL for me so
> Thunderbird never sees the server certificate. If anyone has a better
> idea, that'd be great though since i realize this idea has some minor
> security implications; i'd be ignoring the certificates. But that is not
> *really* much of a difference; the security dialog pops up so often now
> that i'm accustomed to just doing the clicks to make it go away as
> quickly as possible without actually reading it. If this is really the
> best/only idea, any suggestions on what SMTP and POP3 proxies i should
> look at? I've set up HTTP and FTP proxies before, but not SMTP and POP3.
> 
> I did look a bit for Thunderbird plugins to work around the issue, but
> came up empty.
> 
> __
> Daniel Ramaley | Server Engineer 2
> Information Technology Services | Drake University
> T: +1-515-271-4540
> W: http://its.drake.edu/
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list