Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/duesee/imap-proxy


https://github.com/duesee/imap-proxy

Last synced: about 2 months ago
JSON representation

Awesome Lists containing this project

README 

        
[![main](https://github.com/duesee/imap-proxy/actions/workflows/main.yml/badge.svg)](https://github.com/duesee/imap-proxy/actions/workflows/main.yml)

[![audit](https://github.com/duesee/imap-proxy/actions/workflows/audit.yml/badge.svg)](https://github.com/duesee/imap-proxy/actions/workflows/audit.yml)



# IMAP Proxy 𓃸



A proxy that receives, `Debug`-prints, and forwards IMAP messages *without changing their semantics* (but see note below).



```mermaid

%%{init: {'theme': 'neutral' } }%%

flowchart LR

    imap-types --> imap-codec

    imap-codec --> imap-next

    imap-next --> imap-proxy

    

    style imap-codec stroke-dasharray: 10 5

    style imap-next stroke-dasharray: 10 5

    style imap-proxy stroke-width:4px

    

    click imap-types href "https://github.com/duesee/imap-codec/tree/main/imap-types"

    click imap-codec href "https://github.com/duesee/imap-codec"

    click imap-next href "https://github.com/duesee/imap-next"

    click imap-proxy href "https://github.com/duesee/imap-proxy"

```



Thanks to imap-next, the proxy takes advantage of asynchronous I/O, abstracts away literal handling, and fully supports unsolicited responses.



# Quickstart



For now there is no officially released binary. You can install the proxy via cargo ...



```shell

cargo install --git https://github.com/duesee/imap-proxy

```



... and then run ...



```shell

imap-proxy --help

```



... for an overview of arguments. But we suggest to run it directly via cargo ...



```shell

cargo run -- --help

```



... because it allows you to tinker with the source code.



**Important**: You must enable tracing (logging) to see a `Debug`-print of exchanged messages.



To do so, set the `RUST_LOG` environment variable.



Use ...



```sh

RUST_LOG=proxy=trace cargo run

```



... to start the proxy (using the default `config.toml`), enabling all log messages for the "proxy" module.



You should probably experiment with the environment variable. For example, you can use ...



```sh

RUST_LOG=trace cargo run

```



... to enable logs from lower libraries. This way, you will get TLS events and `io/{read,write}/raw` events.



```mermaid  

graph LR;

	Client -->|"â‘  parse Command"| Proxy;

	Proxy  -->|"â‘¡ change Command (currently no change)"| Proxy;

	Proxy  -->|"â‘¢ serialize Command'"| Server;

	Server -->|"â‘£ parse Response"| Proxy;

	Proxy  -->|"â‘¥ serialize Response'"| Client;

	Proxy  -->|"⑤ change Response (currently no change)"| Proxy;

```



	Example Trace



```

$ RUST_LOG=trace cargo run



# Insecure to Insecure

imap://127.0.0.1:1143 (insecure) -> imap://127.0.0.1:2143 (insecure)



 INFO  Bound to bind_addr_port="127.0.0.1:1143"

 INFO  Accepted client client_addr=127.0.0.1:46500



 INFO  Connecting to server server_addr_port="127.0.0.1:2143"

 INFO  Connected to server server_addr_port="127.0.0.1:2143"

TRACE  io/read/raw data="* OK Hello, World!\\r\\n"

TRACE  <--| role="s2p" greeting=Greeting {

	kind: Ok,

	code: None,

	text: Text("Hello, World!")

}

TRACE  io/write/raw data="* OK Hello, World!\\r\\n"

TRACE  <--- greeting role="p2c"

TRACE  io/read/raw data="A LOGIN {4}\\r\\n"

TRACE  io/write/raw data="+ proxy: Literal accepted by proxy\\r\\n"

TRACE  io/read/raw data="user {4}"

TRACE  io/read/raw data="\\r\\n"

TRACE  io/write/raw data="+ proxy: Literal accepted by proxy\\r\\n"

TRACE  io/read/raw data="pass"

TRACE  io/read/raw data="\\r\\n"

TRACE  |--> role="c2p" command=Command {

	tag: Tag("A"),

	body: Login {

		username: String(Literal(Literal { data: b"user", mode: Sync })),

		password: String(Literal(Literal { data: b"pass", mode: Sync }))

	}

}

```



## Config



The `config.toml` file has pre-configured scenarios.

The first scenario "Insecure to TLS" is useful for a (local) forwarding proxy and is already enabled.



You can start multiple services using TOML's [array of tables](https://toml.io/en/v1.0.0#array-of-tables) syntax:



```toml

[[services]]

# ...



[[services]]

# ...

```



The `encryption` field configures transport encryption, i.e., `Insecure` or `Tls`.

`Insecure` disables TLS encryption and SHOULD NOT be used when proxying to a remote server.



### Using TLS



#### Create local TLS certificate(s)



You can use [`mkcert`](https://github.com/FiloSottile/mkcert) to create a local certificate authority (CA).

The tool takes care to "register" the local CA with [typical trust stores](https://github.com/FiloSottile/mkcert#supported-root-stores) on your system.



We recommend creating a `private` folder before creating certificates and keys.

The `private` folder is `.gitignore`d, so you can't accidentally push your keys.



```shell

mkdir private

cd private

```



With `mkcert`, you should now be able to create a certificate (+ key), e.g., ...



```shell

mkcert localhost

```



The command creates two files, `localhost.pem` (certificate) and `localhost-key.pem` (key).



#### Configure to accept TLS connections



Edit your `config.toml` ...



```toml

[services.bind.identity]

type = "CertificateChainAndLeafKey"

certificate_chain_path = "private/localhost.pem"

leaf_key_path = "private/localhost-key.pem"

```



... accordingly, start the proxy, and test your connection with OpenSSL, e.g., ...



```shell

openssl s_client -verify_return_error -crlf -connect :

```



Note: `openssl s_client` should only really be used for testing.



# Semantic changes



> A few semantic changes are required to make the proxy more useful.

> These changes are communicated by the proxy, e.g., by emitting a warning or prefixing a `text` field.

> 

> **Literal handling** IMAP allows sending commands "piece-by-piece" using literals.

> However, forwarding single pieces rules out modifications that change the size of a literal.

> Thus, the proxy collects all pieces first and presents single messages that can be easily replaced (if so desired).

> 

> **Capability stripping** Capabilities can introduce fundamental protocol changes.

> Thus, forwarding unknown capabilities would mean we are willing to "lose track" of our session understanding.

> It also implies the proxy needs to forward unparsed messages and (somehow) "get on track" at some later point.

> Doing so requires an in-depth analysis of the problem and its implications.

> Thus, we prefer to strip unsupported capabilities and error out on parsing errors.



# Supported authentication mechanisms



The proxy forwards authentication messages unchanged, and uses an [allow-list](https://github.com/duesee/imap-proxy/blob/main/src/util.rs#L95)

of capabilities and authentication mechanisms to exclude everything it doesn't understand.



Some authentication mechanisms "bind" to the TLS connection ("channel binding") and will fail when proxied.

These mechanisms are not proxyable by design -- at least without further ado -- and are filtered from the connection.



| Authentication mechanism | Support                                |

|--------------------------|----------------------------------------|

| LOGIN                    | supported                              |

| PLAIN                    | supported                              |

| XOAUTH2                  | supported                              |

| SCRAM-*                  | supported                              |

| SCRAM-*-PLUS             | not supported (due to channel binding) |

| Others                   | not supported (yet)                    |



# Future work



The proxy could enrich existing clients' functionality to improve compatibility, performance, and security.

This could be done by fleshing out the proxy into a configurable framework.



Examples:



* Support

  * `XOAUTH2` could transparently be added to non-supporting clients

* Security

    * Encryption could be transparently added such that emails are always appended in encrypted form and decrypted during fetching

* Support & Security

  * Vintage clients could use the proxy as a TLS/Compatibility gateway (See ["Using modern email on vintage clients"](https://julienblanchard.com/articles/modern-email-and-vintage-clients).)

* Performance

  * Support for "capabilities in greetings" or `LITERAL+` could be transparently added to improve performance

* Testing

  * Messages could be forwarded to other software for analysis

  * Protocol traces could be automatically analyzed for supported features

  * Proxy could inject non-semantic changes to expose interoperability issues (See issue #62.)



# License



This crate is licensed under AGPL terms.



# Thanks



Thanks to the [NLnet Foundation](https://nlnet.nl/) for supporting the imap-codec project through [NGI Assure](https://nlnet.nl/assure/)!