help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

IMAPs / POP3s support for the Webmail client

Nathan Salt -

PROBLEM

Add SSL to IMAP and POP3 via transparent proxy

ENVIRONMENT

  • On-Premise Server + WebMail Installations: Version 6.0 > Current Version
  • Webmail Only Installations: Version 6.0 > Current Version

CAUSE

Add SSL to IMAP and POP3 via transparent proxy

RESOLUTION

The following article explains how to add IMAPs or POP3s support to the webmail client via a transparent proxy. This solution requires that the webmail client is hosted on Linux with iptables support or that you have a Linux/iptables gateway to intercept the outbound connections.
The proxying is done via Stunnel.

Get and install stunnel on the server that is running @Mail from http://www.stunnel.org/. RedHat based distro's may be able to do a 'yum install stunnel'.

The proxy, although transparent is not dynamic i.e. each external mail server that needs to be contacted has to be added manually to the configuration.

Edit stunnel.conf (/etc/stunnel/stunnel.conf) and add the protocol (imaps or pop3s) and the external mail server as follows:

client = yes
 
[imaps]
accept = 127.0.0.1:6100
delay = yes
connect = mail.domain.com:993
 
[pops]
accept = 127.0.0.1:6101
connect = mail.domain.com:995

Start stunnel with the following command:

stunnel /etc/stunnel/stunnel.conf

In the example stunnel configuration above we are saying that stunnel is acting as a client, and that it will accept IMAP connections on the localhost port 6100 and proxy those connections to mail.domain.com via IMAPs (port 993) and is doing the same for POP3s.

Now we need to add the iptables rules to intercept any connections destined for mail.domain.com on either the IMAP port (143) or the POP3 port (110) and forward them to the appropriate stunnel port (6100 or 6101)

# IMAPs proxy for mail.domain.com

iptables -t nat -A OUTPUT -p tcp -d mail.domain.com --dport 143 -j DNAT --to 127.0.0.1:6100

# POP3s proxy for mail.domain.com

iptables -t nat -A OUTPUT -p tcp -d mail.domain.com --dport 110 -j DNAT --to 127.0.0.1:6101

I add these rules to rc.local so I can easily manage them. To add additional hosts add another entry in stunnel.conf using a unique port on the accept line. Starting at 6100 I keep incrementing from there.

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com