Did you have the CA for your Exchange box stored
on the Perdition system? I recall at least on my RedHat
boxes I had to put a copy in place, e.g.
ssl_ca_file /etc/perdition/perdition.ca.pem
It is preferred to have the users connect to the
open port (143) and then require TLS negotiation.
Tiz wrote:
Tiz wrote:
I am trying to proxy secure imap on port 993 from
my Solaris 10 perdition sun
box to Microsoft Exchanges secure imap port and cannot seem to get it to work.
I currently I have perdition running on a 992 for a proxy to my sendmail server
running regular imap on 143. Perdition offers the SSL certs and does the
forwarding based on a mysql table. This setup is working fine...
For the exchange server I am a little lost.
Here is the config...
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA ACL ACL2=UNION
STARTTLS"
ssl_mode tls_listen,tls_listen_force
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
debug
no_daemon
...but actually I am floundering on this part.
I was hoping for some understanding on what my options are for this proxy
connecting to exchange server 2007.
1. Can I setup just a plain jane pass through on the proxy and push the traffic
to the exchange server? Is this sane? Examples? Is worth trying just to see
if it works?
2. Can I offer certs on the proxy, then talk SSL from the proxy to the exchange
server? Does anyone have an example of how to do that?
3. Should I turn down secure imap on the server and let the proxy handle the certs?
Regs
-Tiz
______________________________________________
Perdition-users mailing list
Perdition-users(a)vergenet.net
http://lists.vergenet.net/listinfo/perdition-user
After some trial and error I was able to get secure imap my exchange server
limping...
Here is the modified config.
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI IDLE NAMESPACE
LITERAL+"
ssl_mode ssl_all
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
ssl_no_cert_verify
ssl_no_cn_verify
#debug
#connection_logging
#no_daemon
listen_port 993
outgoing_port 993
server_resp_line
I noticed the log complaining that it cannot make the ssl connection to the
exchange server. Dang - I wish I knew more about certs to get that working OK.
There must be a way to get some client certs on the proxy to talk to the
exchange server.
I think I am bypassing outbound cert checks with ssl_no_cert_verify &
ssl_no_cn_verify.
So testing from the iphone, the users accepts the cert from the proxy and is
never asked for a cert again.
Regs
-Tiz
______________________________________________
Perdition-users mailing list
Perdition-users(a)vergenet.net
http://lists.vergenet.net/listinfo/perdition-users