Friday, November 22, 2019

How to Proxy SSL IMAP/POP3/SMTP using HAProxy and Dovecot+Postfix

This post shows how to configure a mail proxy server to connect clients in an intranet to an external mail server. I will use SSL offloading method since the mail proxy server is owned by the same company that's running the main mail server therefore decrypting the data on the proxy server and encrypting them again is not a security concern.

HAProxy - Dovecot configuration

I use HAProxy on the VPS Proxy server to proxy SSL IMAP/POP3/SMTP protocols to the main mail server. The main server is using Dovecot/Postfix to run email service.

First, install HAProxy on the VPS proxy server, generate a valid SSL for its hostname and configure haproxy to proxy IMAP/POP3/SMTP SSL ports to the main mail server :

listen main-pop3
  bind :995 ssl crt /etc/letsencrypt/live/HOSTNAME/fullchainkey.pem no-sslv3
  mode tcp
  balance first
  stick store-request src
  stick-table type ip size 200k expire 15m
  server s1 MAINHOST.FQDN:10110 send-proxy-v2 ssl verify required ca-file ca-certificates.crt

 listen main-imap
  bind :993 ssl crt /etc/letsencrypt/live/HOSTNAME/fullchainkey.pem no-sslv3
  mode tcp
  balance first
  stick store-request src
  stick-table type ip size 200k expire 15m
  server s1 MAINHOST.FQDN:10143 send-proxy-v2 ssl verify required ca-file ca-certificates.crt

 listen main-smtp
  bind :465 ssl crt /etc/letsencrypt/live/HOSTNAME/fullchainkey.pem no-sslv3
  mode tcp
  stick store-request src
  stick-table type ip size 200k expire 15m
  server s1 MAINHOST.FQDN:10465 send-proxy-v2 ssl verify required ca-file ca-certificates.crt

/etc/letsencrypt/live/HOSTNAME/fullchainkey.pem is a valid certificate generated for the VPS Proxy hostname and it should contain both private key and certificate.

MAINHOST.FQDN is the full hostname of the main mail server, and haproxy is connecting to it securely (send-proxy-v2 ssl) and verifying its SSL against ca-certificates.crt file.

Now, on the main mail server side, we need to configure dovecot to listed on the custom ports for haproxy (10110, 10143, 10465) . Dovecot added support for haproxy since version 2.2.19. We open separate ports for haproxy and enable haproxy in the listeners which will allow dovecot to get the correct data of clients from haproxy server. Add the following code to /etc/dovecot/conf.d/haproxy.conf on the main mail server:

haproxy_trusted_networks = VPS.PROXY.IP/32
service pop3-login {
   inet_listener pop3_haproxy {
     port = 10110
     haproxy = yes
     ssl = yes
   }
}
service imap-login {
  inet_listener imap_haproxy {
    port = 10143
    haproxy = yes
    ssl = yes
  }
}
service submission-login {
  inet_listener submission {
    port = 10465
    haproxy = yes
    ssl = yes
  }
}
submission_relay_host = localhost
submission_relay_port = 25
submission_relay_trusted = yes
submission_client_workarounds = whitespace-before-path

Note that we are not sending queries from haproxy directly to postfix, instead we use submission listener of dovecot to authenticate clients in a similar way as imap/pop3 protocols. To enable submission service, you need to add submission in the list of protocols in dovecot.conf file : 

protocols = imap pop3 submission

Dovecot receives emails on port 10465 from haproxy, authenticate clients using its configured settings, and then send them to submission_relay_host which is postfix in this case. Postfix is running on the same machine as dovecot on port 25. We need to configure postfix to accept XCLIENT data that dovecot sends to it. (Xclient contains data of client that haproxy sends to dovecot). We set dovecot to send the real data of client to postfix by setting submission_relay_trusted = yes in its config file. We also need to set postfix to accept this data from dovecot by adding the following line to /etc/postfix/main.cf file : 

smtpd_authorized_xclient_hosts = 127.0.0.1

Now, clients in a restricted network can connect securely to the VPS proxy server. This Proxy server receives data from clients and sends them securely to the main mail server.

The line submission_client_workarounds = whitespace-before-path is required in configuration of dovecot submission for Microsoft outlook to work properly. I was getting the following error in Microsoft outlook 2016 before setting this variable :

Sending reported error (0x800CCC78): Cannot send the message. Verify the e-mail address in your account properties. The server responded: 501 5.5.4 Invalid FROM: Unexpected whitespace before path

at

2 comments:

  1. AlekzJune 25, 2020 at 8:30 PM

    But dovecot installation? postfix? ... :(

    ReplyDelete
  2. Dagar MagarDecember 23, 2020 at 11:39 AM

    I haven’t checked in here for a while since I thought pirate proxy was getting boring, but the last several posts are good quality so I guess I will add you back to my everyday bloglist.

    ReplyDelete

Subscribe to: Post Comments (Atom)

How to disable Debian 12 sleep on production servers

 Debian 12 has power saver enabled by default which causes your server to go to sleep if there is no mouse / keyboard interaction. To resolv...