[Cialug] E-mail proxy needed?

Daniel A. Ramaley daniel.ramaley at drake.edu
Mon Oct 30 19:15:22 UTC 2017


I might give that a try, thanks for the idea. Stunnel in daemon mode
should hopefully work OK; once it is configured i'd expect it to be like
most other software and for it to not break.

--Dan

On 2017-10-26 17:13, Guy Helmer wrote:
> Hi, Daniel,
> 
> stunnel can be setup to proxy pop3 and smtp protocols, among others,
> using the “protocol=“ configuration. You could probably set it up to
> be relatively secure by expecting office365 domain names in the
> server certificates, and validate the certs using a CApath setting to
> the /etc/ssl/certs/ dir. I’m not sure how conveniently stunnel can be
> setup for long-term use, though.
> 
> Guy
> 
>> On Oct 26, 2017, at 4:46 PM, Daniel A. Ramaley
>> <daniel.ramaley at drake.edu> wrote:
>> 
>> I have an odd e-mail problem. At work i use these e-mail servers: 
>> smtp.drake.edu pop.drake.edu imap.drake.edu
>> 
>> We outsourced e-mail to MS Office 365 awhile back, so each of those
>> are CNAMEs for Microsoft's pool of servers. My e-mail client,
>> Thunderbird, doesn't like the SSL certificates because it is
>> configured with *.drake.edu names but those resolve to
>> *.office365.com names and certificates. But that's no problem, i
>> can just add an exception as a one-time operation since i know the
>> situation is OK.
>> 
>> The problem is that Microsoft seems to make some sort of change to
>> their SSL certificate every few months. But they don't change the
>> entire pool in an atomic operation; it can take a week or three. So
>> the certificate that i had told Thunderbird to accept changes, so i
>> have to re-accept it. But the next time i check my mail and
>> Thunderbird talks to a different pool member, it sees the old
>> certificate. So i have to accept that one again (Thunderbird seems
>> to only like 1 exception per name?). The result is that many times
>> per day i have to deal with the dialog to accept the certificate.
>> For testing purposes i tried configuring Thunderbird to go to the
>> IP of one of the servers that the CNAME resolves to, but even that
>> doesn't work (maybe those public IPs are actually load balancers
>> that go to the pool of actual servers?).
>> 
>> Any ideas how to work around this?
>> 
>> I'm thinking if i could set up a proxy for the protocols i use, and
>> if that proxy doesn't care about the certificates, that that would
>> work. Basically, run a local proxy and it would strip out the SSL
>> for me so Thunderbird never sees the server certificate. If anyone
>> has a better idea, that'd be great though since i realize this idea
>> has some minor security implications; i'd be ignoring the
>> certificates. But that is not *really* much of a difference; the
>> security dialog pops up so often now that i'm accustomed to just
>> doing the clicks to make it go away as quickly as possible without
>> actually reading it. If this is really the best/only idea, any
>> suggestions on what SMTP and POP3 proxies i should look at? I've
>> set up HTTP and FTP proxies before, but not SMTP and POP3.
>> 
>> I did look a bit for Thunderbird plugins to work around the issue,
>> but came up empty.
>> 
>> __ Daniel Ramaley | Server Engineer 2 Information Technology
>> Services | Drake University T: +1-515-271-4540 W:
>> http://its.drake.edu/ 
>> _______________________________________________ Cialug mailing
>> list Cialug at cialug.org http://cialug.org/mailman/listinfo/cialug
> 
> _______________________________________________ Cialug mailing list 
> Cialug at cialug.org http://cialug.org/mailman/listinfo/cialug
> 

__
Daniel Ramaley | Server Engineer 2
Information Technology Services | Drake University
T: +1-515-271-4540
W: http://its.drake.edu/


More information about the Cialug mailing list