Welcome! Log In Create A New Profile

Advanced

Encrypt traffic with backend mail servers (Mail Proxy)

Posted by lucianobb 
Encrypt traffic with backend mail servers (Mail Proxy)
June 07, 2021 10:27AM
Hello everyone,

I would like to share my situation and ask for help using NGINX mail proxy module. I don't know if we want to do is possible, so here's an overview:

The setup - I have 2 mail servers running qmail + vpopmail + Dovecot on Debian 8. I have multiple clients on each server using their email accounts. Usually we inform those clients to configure their Outlooks/Thunderbirds using imap.theirdomain.com on port 143 and smtp.theirdomain.com on port 587 (Both uses STARTTLS). We have a DNS server to make those redirections.

The problem - As we use Let's Encrypt to generate SSL certificate for those 2 mail servers, every 3 months the certificate has to be renewed, and everytime this happens, our clients have problem with their Outloooks/Thunderbirds, because the certificate has renewed. Sometimes we need to reconfigure their e-mails from scratch on their machines, wich is very time demanding for our support staff.

The solution - We decided to install a mail proxy using NGINX, so we can use a single hostname for everyone, solving this certificate renew problem every 3 months. We will use something like mproxy.ourcompanydomain.com. We already did the auth script using PHP, and everything seems to be working just fine.

The question - We would like to increase security, because when i access the proxy server via SSH and do some sniffing using tcpflow, i can see everyone passwd flowing between NGINX and the backend mail servers, it's not encrypting. It's encrypting just from the outside (Client - proxy) but not between proxy and mail servers. Is there a way to encrypt all the traffic? Did i misconfigured something? Here's my nginx.conf:


user www-data;
worker_processes auto;

error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
multi_accept on;
}


http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

include /etc/nginx/conf.d/*.conf;
}

mail {
auth_http localhost:80/mail/auth.php;
proxy_pass_error_message on;

proxy on;

pop3_capabilities "TOP" "USER";
imap_capabilities "IMAP4rev1" "UIDPLUS";
smtp_capabilities "VRFY" "ETRN";

server {
listen 110;
protocol pop3;
pop3_auth plain apop cram-md5;

starttls on; ## enable STARTTLS for all mail servers
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
listen 143;
protocol imap;
imap_auth login cram-md5;

starttls on; ## enable STARTTLS for all mail servers
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
listen 587;
protocol smtp;
smtp_auth login plain cram-md5;
proxy_smtp_auth on;

xclient off;

starttls on; ## enable STARTTLS for all mail servers
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}



server {
listen 993 ssl;
protocol imap;
imap_auth login cram-md5;

ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

}



I already tried using STREAM module from NGINX instead the mail module, but i would not solve the problem, as the certificate being used it's not the proxy's, but the mail server's certificate.


Thanks a lot for any help.
Re: Encrypt traffic with backend mail servers (Mail Proxy)
June 09, 2021 08:53AM
Anyone?
Re: Encrypt traffic with backend mail servers (Mail Proxy)
June 28, 2021 09:35AM
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 76
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready