5 Aug
2008
5 Aug
'08
10 p.m.
I am trying to proxy secure imap on port 993 from my Solaris 10 perdition sun
box to Microsoft Exchanges secure imap port and cannot seem to get it to work.
I currently I have perdition running on a 992 for a proxy to my sendmail server
running regular imap on 143. Perdition offers the SSL certs and does the
forwarding based on a mysql table. This setup is working fine...
For the exchange server I am a little lost.
Here is the config...
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA ACL ACL2=UNION
STARTTLS"
ssl_mode tls_listen,tls_listen_force
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
debug
no_daemon
...but actually I am floundering on this part.
I was hoping for some understanding on what my options are for this proxy
connecting to exchange server 2007.
1. Can I setup just a plain jane pass through on the proxy and push the traffic
to the exchange server? Is this sane? Examples? Is worth trying just to see
if it works?
2. Can I offer certs on the proxy, then talk SSL from the proxy to the exchange
server? Does anyone have an example of how to do that?
3. Should I turn down secure imap on the server and let the proxy handle the certs?
Regs
-Tiz
6 Aug
6 Aug
9:19 p.m.
New subject: Exchange Server 2007 and perdition proxy config
Tiz wrote:
I am trying to proxy secure imap on port 993 from my
Solaris 10 perdition sun
box to Microsoft Exchanges secure imap port and cannot seem to get it to work.
I currently I have perdition running on a 992 for a proxy to my sendmail server
running regular imap on 143. Perdition offers the SSL certs and does the
forwarding based on a mysql table. This setup is working fine...
For the exchange server I am a little lost.
Here is the config...
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA ACL ACL2=UNION
STARTTLS"
ssl_mode tls_listen,tls_listen_force
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
debug
no_daemon
...but actually I am floundering on this part.
I was hoping for some understanding on what my options are for this proxy
connecting to exchange server 2007.
1. Can I setup just a plain jane pass through on the proxy and push the traffic
to the exchange server? Is this sane? Examples? Is worth trying just to see
if it works?
2. Can I offer certs on the proxy, then talk SSL from the proxy to the exchange
server? Does anyone have an example of how to do that?
3. Should I turn down secure imap on the server and let the proxy handle the certs?
Regs
-Tiz
______________________________________________
Perdition-users mailing list
Perdition-users(a)vergenet.net
http://lists.vergenet.net/listinfo/perdition-user
After some trial and error I was able to get secure imap my exchange server
limping...
Here is the modified config.
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI IDLE NAMESPACE LITERAL+"
ssl_mode ssl_all
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
ssl_no_cert_verify
ssl_no_cn_verify
#debug
#connection_logging
#no_daemon
listen_port 993
outgoing_port 993
server_resp_line
I noticed the log complaining that it cannot make the ssl connection to the
exchange server. Dang - I wish I knew more about certs to get that working OK.
There must be a way to get some client certs on the proxy to talk to the
exchange server.
I think I am bypassing outbound cert checks with ssl_no_cert_verify &
ssl_no_cn_verify.
So testing from the iphone, the users accepts the cert from the proxy and is
never asked for a cert again.
Regs
-Tiz
10:34 p.m.
New subject: Exchange Server 2007 and perdition proxy config
Did you have the CA for your Exchange box stored
on the Perdition system? I recall at least on my RedHat
boxes I had to put a copy in place, e.g.
ssl_ca_file /etc/perdition/perdition.ca.pem
It is preferred to have the users connect to the
open port (143) and then require TLS negotiation.
Tiz wrote:
Tiz wrote:
I am trying to proxy secure imap on port 993 from
my Solaris 10 perdition sun
box to Microsoft Exchanges secure imap port and cannot seem to get it to work.
I currently I have perdition running on a 992 for a proxy to my sendmail server
running regular imap on 143. Perdition offers the SSL certs and does the
forwarding based on a mysql table. This setup is working fine...
For the exchange server I am a little lost.
Here is the config...
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA ACL ACL2=UNION
STARTTLS"
ssl_mode tls_listen,tls_listen_force
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
debug
no_daemon
...but actually I am floundering on this part.
I was hoping for some understanding on what my options are for this proxy
connecting to exchange server 2007.
1. Can I setup just a plain jane pass through on the proxy and push the traffic
to the exchange server? Is this sane? Examples? Is worth trying just to see
if it works?
2. Can I offer certs on the proxy, then talk SSL from the proxy to the exchange
server? Does anyone have an example of how to do that?
3. Should I turn down secure imap on the server and let the proxy handle the certs?
Regs
-Tiz
______________________________________________
Perdition-users mailing list
Perdition-users(a)vergenet.net
http://lists.vergenet.net/listinfo/perdition-user
After some trial and error I was able to get secure imap my exchange server
limping...
Here is the modified config.
outgoing_server 10.XXX.XXX.XXX
log_facility /var/log/perdition.imap4s.log
no_lookup
timeout 40
imap_capability "IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI IDLE NAMESPACE
LITERAL+"
ssl_mode ssl_all
ssl_cert_file /etc/perdition/perdition.crt.pem
ssl_key_file /etc/perdition/perdition.key.pem
pid_file /var/run/perdition.imap4s/perdition.imap4s.pid
ssl_no_cert_verify
ssl_no_cn_verify
#debug
#connection_logging
#no_daemon
listen_port 993
outgoing_port 993
server_resp_line
I noticed the log complaining that it cannot make the ssl connection to the
exchange server. Dang - I wish I knew more about certs to get that working OK.
There must be a way to get some client certs on the proxy to talk to the
exchange server.
I think I am bypassing outbound cert checks with ssl_no_cert_verify &
ssl_no_cn_verify.
So testing from the iphone, the users accepts the cert from the proxy and is
never asked for a cert again.
Regs
-Tiz
______________________________________________
Perdition-users mailing list
Perdition-users(a)vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
11:09 p.m.
New subject: Exchange Server 2007 and perdition proxy config
On 08/06/2008 Vincent Fox wrote:
Did you have the CA for your Exchange box stored
on the Perdition system? I recall at least on my RedHat
boxes I had to put a copy in place, e.g.
ssl_ca_file /etc/perdition/perdition.ca.pem
I did try copying the Exchange CA file to the perdition machine but I was lost
when trying to convert the key to the pem format. The debug showed me that I
was accessing the key, but the connection to the exchange server fell down.
It is preferred to have the users connect to the
open port (143) and then require TLS negotiation.
[ munch ]
For wireless devices too? In that scheme I guess the TLS negotiation happens
before the password is sent?
A little harder to config on the iphones. They want SSL on 993. Then they fall
back to no SSL if the SSL validation fails. I don't think there is a way to
configure them for TLS.
Regs
-Dean
5752
days inactive
5753
days old
3 comments
3 participants
participants (3)
-
Tiz -
Tiz -
Vincent Fox