In a previous article, I discussed setting up an IMAP proxy to get mail remotely from my iPhone using Doevcot. The one part of the set up I never really liked is that the link from my bastion host acting as a proxy and my actual mail server had to go un-encrypted. Granted this was inside my network and if someone was sniffing the transaction off the wire I had bigger problems, but it still bothered me as less than perfect. While I could have grabbed a Dovecot RC source tarball and had the feature, I preferred to stay with what was packaged with OpenBSD and have lived with the lack of encryption inside my network. Well I finally (OK, just a month and a half since release) updated my inbound proxy to OpenBSD 4.8. and one of the prominent notes on the upgrade is a move to Dovecot 1.2.x. This upgrade allows encryption of the proxied connection and resolves that long-standing concern I’ve had.
Assuming your internal mail server is already listening for IMAPS connections, you only need to modify the “extra-fields” in your /etc/dovecot.passwd file to get encryption of the proxied connection. For example:
bubba:{PLAIN-MD5}31337::::::proxy=y host=192.168.5.6 ssl=any-cert port=993
Before and After
