Welcome! Log In Create A New Profile

Advanced

Mail reverse proxy with SSL/TLS

Posted by aspirinjunkie 
Mail reverse proxy with SSL/TLS
February 01, 2019 05:48AM
I have several small local HTTP services running.
To access them from outside I have a nginx reverse proxy running which adds SSL(TLS) to these services, so they can only be accessed via HTTPS (certificate from letsencrypt) from outside. In addition there is an HTTP authentication.

But now I also have a local mail server (davmail). It runs locally without encrypted access.
Now i have the wish that this mail server can be reached just like the HTTP services via the nginx reverse proxy from outside and that the reverse proxy "enriches" the access to it with SSL/TLS. So in the end i want to access the mail server (imap and smtp) from outside via Thunderbird for example with transport encryption only.

The following is my last essential configuration status:

[...]
mail {
server_name my.domain.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

# IMAP reverse proxy
# should listen to 993 and serve the imap-data from 192.168.0.6 with transport encryption
server {
lists 993 ssl;
protocol imap;
proxy on;

# dummy authentification (see http-block below)
auth_http localhost:8008/auth-imap;
}
}

http {
[...]

# dummy authentification server
server {
lists 8008;
server_name localhost;

location /auth-imap {
add_header Auth status OK;
add_header Auth server 192.168.0.6; # backend ip
add_header Auth port 1143; # backend port (yes 1143 is correct for my configuration!)
return 204;
}
}


# example http ssl encryption proxy server
server {
server_name my.domain.com;
lists 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

[...]

location /example {
proxy_pass http://192.168.0.99/admin
proxy_buffering off;
}
}

}

Unfortunately I can't get the mails from a mail program with this configuration.
I would be very grateful for tips about my mistakes and how to do it correctly.

P.S: If Mail Reverse Proxy Transport encryption is possible with nginx - is it also possible to enrich maybe caldav or carddav with SSL/TLS?
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 70
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready