HOB WebSecureProxy as an SSL Terminal for E-Mail Clients
Best placed in the DMZ, the HOB WebSecureProxy is an SSL gateway that SSL-encrypts the e‑mail traffic on the client side and transfers it unencrypted to the mail server on the LAN side. This effectively protects the mail server against any attacks coming over the Internet.
Many modern e-mail clients have SSL functionality integrated into them. The usual mail receipt protocol is either POP3 or IMAP4. Depending on which is being used, when SSL encryption is activated, SSL-encrypted e-mail will be received over either POP3S on the mail server port 995 or over IMAP4S on port 993. SSL-protected e-mail is sent over SMTPS on the mail server port 465. These are the default ports for these actions. For HOB WebSecureProxy authentication, a certificate signed by an external CA (Certificate Authority) is required.
The advantage of this security method is that no additional software need be installed on the client system (not even any HOB software).
The HOB WebSecureProxy is configured via an XML file. The HOB WebSecureProxy configuration for the previously described scenario would appear as follows:
Explanation of the Tags Used:
The <sslgate-configuration> tag marks the beginning of the XML configuration. The entire HOB WebSecureProxy configuration is found between this tag and its counterpart, the </sslgate‑configuration> tag.
The general behavior of the tag HOB WebSecureProxy is defined in this tag, e.g., the logging interval.
This tag enables the output of statistical data on the use of threads, memory, etc. to the event log or console. In this sample configuration, the data will be output every 1800 seconds.
The <prot-event-log> tag enables the output of error messages and events.
The <network-statistic-level> tag defines the output of network utilization data. Possible parameters are: 1 to 9, minimum to maximum data output.
This tag is used to configure the connection, e.g., to define the listening port or target address. This tag may be used several times within a HOB WebSecureProxy configuration, i.e., you may define several connections.
The <name> tag defines the name of the connection configuration, in this case, SSLGATE001. This setting must be made.
The <gateport>tag defines the listening port for an incoming connection. In this configuration, port 993 for IMAPS is opened in the first <connection> tag, and port 465 for SMTPS is opened in the following <connection> tag.
This optional tag is only used for multi-homed systems. It defines the network adapter via the IP address.
<SSL-config-file>, <SSL-certdb-file>, <SSL-password-file>
Path to the SSL certificate, configuration file and password file.
This tag contains the definition of the maximum number of concurrently active sessions (connections) within this configuration.
The mail server's IP address. Here: mail.company.com
Target port on the mail server. Here: 143 for IMAP4 and 25 for SMTP.
Optional. Defines the length of time to expire before a connection timeout will be designated a failure.
With this configuration, the HOB WebSecureProxy will provide you with two 1:1 connections.
E-Mail Client Configuration
In the local e-mail client, create an account that will have the HOB WebSecureProxy as the target address for incoming (POP3 or IMAP4) and outgoing (SMTP) mail, instead of the mail server. Enable the option "SSL-connection required."
The HOB Universal Client can be installed on the client or downloaded via the Web browser. The HOB Universal Client encrypts the data exchanged between the e-mail-client and the HOB WebSecureProxy. The e-mail client itself need not be SSL-capable. The exchanged data can also be compressed with V42.bis before being sent, accelerating e-mail traffic. All communications between the HOB Universal Client and the HOB WebSecureProxy go over just one IP port.
E-Mail Client Configuration
In the local e-mail client, create an account that will address the local host instead of the mail server. The HOB Universal Client receives the data, compresses and SSL-encrypts them, and forwards them to the HOB WebSecureProxy. The option “SSL-connection required” is not to be set for this configuration.
firstname.lastname@example.org, Last Updated: 03-Feb-10