Hello everyone,
I would like to share my situation and ask for help using NGINX mail proxy module. I don't know if we want to do is possible, so here's an overview:
The setup - I have 2 mail servers running qmail + vpopmail + Dovecot on Debian 8. I have multiple clients on each server using their email accounts. Usually we inform those clients to configure their Outlooks/Thunderbirds using imap.theirdomain.com on port 143 and smtp.theirdomain.com on port 587 (Both uses STARTTLS). We have a DNS server to make those redirections.
The problem - As we use Let's Encrypt to generate SSL certificate for those 2 mail servers, every 3 months the certificate has to be renewed, and everytime this happens, our clients have problem with their Outloooks/Thunderbirds, because the certificate has renewed. Sometimes we need to reconfigure their e-mails from scratch on their machines, wich is very time demanding for our support staff.
The solution - We decided to install a mail proxy using NGINX, so we can use a single hostname for everyone, solving this certificate renew problem every 3 months. We will use something like mproxy.ourcompanydomain.com. We already did the auth script using PHP, and everything seems to be working just fine.
The question - We would like to increase security, because when i access the proxy server via SSH and do some sniffing using tcpflow, i can see everyone passwd flowing between NGINX and the backend mail servers, it's not encrypting. It's encrypting just from the outside (Client - proxy) but not between proxy and mail servers. Is there a way to encrypt all the traffic? Did i misconfigured something? Here's my nginx.conf:
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
mail {
auth_http localhost:80/mail/auth.php;
proxy_pass_error_message on;
proxy on;
pop3_capabilities "TOP" "USER";
imap_capabilities "IMAP4rev1" "UIDPLUS";
smtp_capabilities "VRFY" "ETRN";
server {
listen 110;
protocol pop3;
pop3_auth plain apop cram-md5;
starttls on; ## enable STARTTLS for all mail servers
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 143;
protocol imap;
imap_auth login cram-md5;
starttls on; ## enable STARTTLS for all mail servers
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 587;
protocol smtp;
smtp_auth login plain cram-md5;
proxy_smtp_auth on;
xclient off;
starttls on; ## enable STARTTLS for all mail servers
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 993 ssl;
protocol imap;
imap_auth login cram-md5;
ssl_certificate /etc/letsencrypt/live/OURHOSTNAME/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/OURHOSTNAME/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
}
I already tried using STREAM module from NGINX instead the mail module, but i would not solve the problem, as the certificate being used it's not the proxy's, but the mail server's certificate.
Thanks a lot for any help.