[Cialug] E-mail proxy needed?

Brett Neese brneese at brneese.com
Mon Oct 30 19:26:15 UTC 2017


Are you sure you can't just update the IMAP servers to use the *.
office365.com names?

Brett Neese
563-210-3459


On Mon, Oct 30, 2017 at 12:15 PM, Daniel A. Ramaley <
daniel.ramaley at drake.edu> wrote:

> I might give that a try, thanks for the idea. Stunnel in daemon mode
> should hopefully work OK; once it is configured i'd expect it to be like
> most other software and for it to not break.
>
> --Dan
>
> On 2017-10-26 17:13, Guy Helmer wrote:
> > Hi, Daniel,
> >
> > stunnel can be setup to proxy pop3 and smtp protocols, among others,
> > using the “protocol=“ configuration. You could probably set it up to
> > be relatively secure by expecting office365 domain names in the
> > server certificates, and validate the certs using a CApath setting to
> > the /etc/ssl/certs/ dir. I’m not sure how conveniently stunnel can be
> > setup for long-term use, though.
> >
> > Guy
> >
> >> On Oct 26, 2017, at 4:46 PM, Daniel A. Ramaley
> >> <daniel.ramaley at drake.edu> wrote:
> >>
> >> I have an odd e-mail problem. At work i use these e-mail servers:
> >> smtp.drake.edu pop.drake.edu imap.drake.edu
> >>
> >> We outsourced e-mail to MS Office 365 awhile back, so each of those
> >> are CNAMEs for Microsoft's pool of servers. My e-mail client,
> >> Thunderbird, doesn't like the SSL certificates because it is
> >> configured with *.drake.edu names but those resolve to
> >> *.office365.com names and certificates. But that's no problem, i
> >> can just add an exception as a one-time operation since i know the
> >> situation is OK.
> >>
> >> The problem is that Microsoft seems to make some sort of change to
> >> their SSL certificate every few months. But they don't change the
> >> entire pool in an atomic operation; it can take a week or three. So
> >> the certificate that i had told Thunderbird to accept changes, so i
> >> have to re-accept it. But the next time i check my mail and
> >> Thunderbird talks to a different pool member, it sees the old
> >> certificate. So i have to accept that one again (Thunderbird seems
> >> to only like 1 exception per name?). The result is that many times
> >> per day i have to deal with the dialog to accept the certificate.
> >> For testing purposes i tried configuring Thunderbird to go to the
> >> IP of one of the servers that the CNAME resolves to, but even that
> >> doesn't work (maybe those public IPs are actually load balancers
> >> that go to the pool of actual servers?).
> >>
> >> Any ideas how to work around this?
> >>
> >> I'm thinking if i could set up a proxy for the protocols i use, and
> >> if that proxy doesn't care about the certificates, that that would
> >> work. Basically, run a local proxy and it would strip out the SSL
> >> for me so Thunderbird never sees the server certificate. If anyone
> >> has a better idea, that'd be great though since i realize this idea
> >> has some minor security implications; i'd be ignoring the
> >> certificates. But that is not *really* much of a difference; the
> >> security dialog pops up so often now that i'm accustomed to just
> >> doing the clicks to make it go away as quickly as possible without
> >> actually reading it. If this is really the best/only idea, any
> >> suggestions on what SMTP and POP3 proxies i should look at? I've
> >> set up HTTP and FTP proxies before, but not SMTP and POP3.
> >>
> >> I did look a bit for Thunderbird plugins to work around the issue,
> >> but came up empty.
> >>
> >> __ Daniel Ramaley | Server Engineer 2 Information Technology
> >> Services | Drake University T: +1-515-271-4540 W:
> >> http://its.drake.edu/
> >> _______________________________________________ Cialug mailing
> >> list Cialug at cialug.org http://cialug.org/mailman/listinfo/cialug
> >
> > _______________________________________________ Cialug mailing list
> > Cialug at cialug.org http://cialug.org/mailman/listinfo/cialug
> >
>
> __
> Daniel Ramaley | Server Engineer 2
> Information Technology Services | Drake University
> T: +1-515-271-4540
> W: http://its.drake.edu/
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list