[Exim] TLS over a proxy or portforwarding

Top Page
Delete this message
Reply to this message
Author: Guenter Riess
Date:  
To: exim-users
Subject: [Exim] TLS over a proxy or portforwarding
Hi,
I have some trouble to get TLS working over a proxy. The Problem
is that I want to move the current exim from a linux firewall to an
internal server, to get rid of the user accounts on the firewall.
The idea was to forward or to proxy the smtp connections
from the firewall to the internal server, but neither port-
forwarding nor proxying the connections is working in
conjunction with TLS. Without TLS everything is working fine.
We need TLS to allow mail relaying for our road warriors and to
provide them access to the mail server inside the private LAN.
The current setup with exim on the firewall host is working fine
and road warriors are able to relay mails if they send them using
TLS and perform authentication.

The test- and destination environment is the following:

+---------+
| road    |
| warrior |

+----+----+
     |
     |
     |
     +---  internet


            |
            |
+-----------+-----------+

| firewall-system       |
| with proxy            |
| (or  port forwarding) |

+-----------+-----------+
            |
private     |
LAN    -----+-------+-------------+--------
                    |             |
               +----+----+   +----+----+
                             | exim    |   | local   |
                             | server  |   | client  |
                             +---------+   +---------+



The firewall configuration is setup properly and is not the issue,
because if I do not use TLS everything is working fine (port-
forwarding and proxy connections, using the same ports).
TLS is also working fine if I send mails from a local client to
the internal exim mail server. The problem pops up if I send the
mails to the proxy and the proxy then forwards the request to
the internal server.

Exims log just tells the following when using TLS:

local client (local client -> proxy -> exim):
2002-04-12 08:40:25 SMTP connection from [172.30.0.10]
2002-04-12 08:40:25 SMTP connection from [172.30.0.10] lost

dial up connection (internet -> proxy -> exim):
2002-04-12 09:12:03 SMTP connection from [217.2.121.106]
2002-04-12 09:12:04 SMTP connection from [217.2.121.106] lost

direct connection (local client -> exim):
2002-04-12 08:01:27 SMTP connection from [172.30.1.8]
2002-04-12 08:01:29 16vvzs-0003YF-00 <= xx@??? H=(XXXXXXXXX)
[172.30.1.8] P=asmtp X=TLSv1:RC4-MD5:128 A=fixed_login:xx S=644
id=001e01c1e1ef$acf81f60$08011eac@???
2002-04-12 08:01:29 SMTP connection from (XXXXXXXXX) [172.30.1.8] closed by
QUIT
2002-04-12 08:01:35 16vvzs-0003YF-00 => xx <xx@???> D=localuser
T=local_delivery
2002-04-12 08:01:35 16vvzs-0003YF-00 Completed


Exim log without TLS (but such a configuration without authentication
is not wanted):

dial up connection (internet -> proxy -> exim):
2002-04-12 09:14:14 SMTP connection from [217.2.121.106]
2002-04-12 09:14:15 16vx8J-0003aJ-00 <= xx@??? H=(XXXXXXXXX)
[217.2.121.106] P=esmtp S=617 id=001701c1e1f9$d7a3ff40$08011eac@???
2002-04-12 09:14:15 SMTP connection from (XXXXXXXXX) [217.2.121.106] closed
by QUIT
2002-04-12 09:14:20 16vx8J-0003aJ-00 => xx <xx@???> D=localuser
T=local_delivery
2002-04-12 09:14:20 16vx8J-0003aJ-00 Completed


Does anybody know what the issue is? I found nothing, that TLS does
not work in conjunction with portforwarding or with a proxy. Or
does anybody know an other solution to get such a environment
running? I also thought about to configure a store and forward
exim on the firewall, but the problem is how to permitt relaying
without user accounts on the firewall, so that all mail is bounced
if the user is not able to authenticate.

Used software:
- exim 3.35 on a linux kernel 2.4.18
- firewall linux kernel 2.2.20
- simple proxy [http://download.sourceforge.net/proxy/]

Regards,
G. Riess