After searching on the Internet for 20+ hours, I found almost nothing about how to set up a reverse proxy for Gmail SMTP/IMAP servers. Why I need this reverse proxy? I think you should ask the “People’s” governement of China about why they set the Great Fire Wall.
Finally, I find some clues that guide me to the final solutions.
Solution 1: Stunnel + Xinetd
What you need:
1. A VPS outside China
2. Linux with Openssl installed
3. Stunnel / Xinetd
The whole idea of the reverse proxy is like this:
For IMAP requests, the VPS will redirect them to imap.gmail.com
For SMTP requests, they will be secured by Stunnel first (Listen to port 465, redirect to another port such as 1988), then redirected to Xinetd (Listen to the “export” port of Stunnel, which I use port 1988 here), then to Gmail through Openssl (Send all request to Gmail SMTP via port 465). [Client ->(Port 465) Stunnel ->(Port 1988) Xinetd -> Openssl (Port 465 to Gmail SMTP)]
Step 1: Install and configure Stunnel
apt-get update
apt-get upgrade
apt-get install stunnel4 -y
Stunnel configures itself using a file named “stunnel.conf” which by default is located in “/etc/stunnel”. Create a “stunnel.conf” file in the “/etc/stunnel” directory:
nano /etc/stunnel/stunnel.conf
#Copy the code below to the conf file:
[ssmtp]
accept = 465
connect = localhost:1988
cert = /etc/stunnel/stunnel.pem
CApath = /usr/share/ca-certificates/
Step 2: Get a certificate for Stunnel with Openssl
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
Step 3: Install and configure Xinetd
sudo apt-get install xinetd
nano /etc/xinetd.d/gmail
#copy the code below into the file:
service smtp
{
disable = no
bind = 0.0.0.0
port = 1988
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/gmail-smtp
type = unlisted
}
service imap-993
{
type = UNLISTED
port = 993
bind = 0.0.0.0
socket_type = stream
wait = no
user = nobody
redirect = imap.gmail.com 993
per_source = UNLIMITED
cps = 100 2
}
service imap-585
{
type = UNLISTED
port = 585
bind = 0.0.0.0
socket_type = stream
wait = no
user = nobody
redirect = imap.gmail.com 585
per_source = UNLIMITED
cps = 100 2
}
Then, create a sh script as the Openssl “Server” to help communicate between your VPS and the Gmail SMTP server.
nano /usr/bin/gmail-smtp
#copy the code below into the file:
#!/bin/sh
/usr/bin/openssl s_client -connect smtp.gmail.com:465 -quiet 2>/dev/null
Remember to change the permission of the file:
chmod +x /usr/bin/gmail-smtp
Step 4: Restart Xinetd and Stunnel
/etc/init.d/xinetd restart
/etc/init.d/stunnel4 restart
stunnel
Now, if everything goes well you will find the following records when checking the ports in use:
sudo netstat -lptu
#records to be found:
tcp 0 0 *:1988 *:* LISTEN 27863/xinetd
tcp 0 0 *:585 *:* LISTEN 27863/xinetd
tcp 0 0 *:urd *:* LISTEN 30147/stunnel
tcp 0 0 *:imaps *:* LISTEN 27863/xinetd
Congratulations, you can now use your VPS as a reverse proxy for the Gmail SMTP/IMAP servers.
The settings should look like:
Account Type: IMAP
Username: [email protected]
Password: your Gmail password
Incoming mail server: YOUR DOMAIN (port: 993)
Outgoing mail server: YOUR DOMAIN (port: 465)
Related posts can be found here:
How To Set Up an SSL Tunnel Using Stunnel on Ubuntu
HowTo: make XSane and Gmail play nice
Setup nullmailer on Ubuntu using your Gmail account as SMTP
Tunneling POP3/SMTP to Gmail SSL POP3S/SMTPS using Xinetd on Linux
Testing Gmail SMTP Server Using OpenSSL
If you just want to set up a recerse proxy for IMAP server, you can refer to another solution that uses Imapproxy+Perdition:
Gmail IMAP Proxy/Cache – Imapproxy+Perdition
Solution 2: SNI Proxy
This solution is relatively simple. However, it seems the SNI Proxy cannot run multi-workers (For SMTP/IMAP at the same time). It has another disadvantage when compared with the first solution: as a transparent proxy, it will use the certificates from the Google server, certificates not issued to the proxy server. This discrepancy will lead to an UNTRUST notification on the screen of users.
$sudo apt-get install slt
$nano imap.gmail.yaml
#copy the code below into the yaml file
bind_addr: ":993"
frontends:
imap.gmail.com:
backends:
-
addr: "imap.gmail.com:993"
$sudo nohup slt imap.gmail.yaml >imap.log &
Reference posts:
VPS 教程系列:Dnsmasq + DNSCrypt + SNI Proxy 顺畅访问 Google 配置教程
https://github.com/inconshreveable/slt
https://github.com/dlundquist/sniproxy
Solution 3: SOCAT
SOCAT is even simpler than SNI Proxy, but it will also bring discrepancy in certificates.
$apt-get -y install socat
$socat TCP-LISTEN:465,fork TCP:smtp.gmail.com:465
$socat TCP-LISTEN:993,fork TCP:imap.gmail.com:993
Reference posts: