In modern setups you often have an ingress controller, which does the ssl termination of the connections and then routes the traffic to the correct backend(s)
For kubernetes and http(s), often nginx is used for that task.
When you wish to do the same for imap and/or pop, then it also possible to use nginx for this.
https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/
But the main drawback is, that you need to implement some authentication and routing based on an http request.Also the managesieve protocol isn't supported.
If you don't wish to do the hassle with this, or you haven't the required infos to do it, then perdition can handle this be used as a full imap/pop/managesieve proxy.
The basic setup is quite simple, but has a few things to be aware of, when using it with ssl and/or ipv6.
When you enable ssl, then you have to specify the certificate files.
Usually something like this:
ssl_ca_file /etc/postfix/ssl/ssl-root.ca
ssl_cert_file /etc/postfix/ssl/myserver.crt
ssl_key_file /etc/postfix/ssl/myserver.key
When you then start perdition, it will probably log some warning about not beeing able to read the DH parameters from the certificate file.
could not read DH params from cert file
Modern OpenSSL configurations require Diffie-Hellman values to generate secure keys in the exchange.
If your certificate does not have these embedded in it, you can generate them yourself and add them to the certificate.
openssl dhparam -out dhparams.pem 4096Then just append the content of the dhparams.pem file to your .crt file and perdition has the required DH values.
The second thing you might struggle with, when you start perdition on an IPv6 enable host, then perdition will only bind the IPv4 address and not to the IPv6 address.
Unfortunally the documentation is lacking in this area, as how to bind the IPv6 ports too.
The correct syntax is to use this in the perdition.imap4s etc. files:
bind_address 88.xx.xx.xx,"[2a01:xxx:xxx:xxx::xxx]"
Please note that you must specify both IPvç and IPv6 addresses, and also that the IPv6 "[::]" will not work.
You have to specify the IPv6 address and enclose it in "[...]", including the " characters.
Configuring perdition as managesieve proxy is also not very well documented.
Specifying the sieve capabilities is rather tricky, here a wroking example:
capability \
"\"IMPLEMENTATION\" \"Cyrus timsieved\" "\
"\"SIEVE\" \"comparator-i;octet "\
"comparator-i;ascii-numeric "\
"fileinto "\
"reject "\
"vacation "\
"imapflags "\
"notify "\
"envelope "\
"relational "\
"regex "\
"subaddress "\
"copy\" "\
"\"SASL\" \"PLAIN\""
The important things to note in this:
Use \" to delimit the capabilities, and use two spaces to delimit the capability lines .
Have a look at the base config file perdition.conf as a staring point
If you have clients using K9 mail (And probably other too), then you might remove all "AUTH=..." settings from the imap capability string.
https://lists.vergenet.net/pipermail/perdition-users/2011-August/002547.html
Please also see my upcomming post on monitoring perdition with Zabbix
