[clamav-users] Scanning IMAP traffic without user credential storage

[Simon Hobson]

Dave McMurtrie <dave64 at andrew.cmu.edu> wrote:

> The original poster doesn't mention which IMAP server he's using.

As I read it, he's looking at "random users accessing random servers" - eg a user connecting his phone to the guest network and it then accessing Gmail.
I really don't think it's possible to do what he wants. In principle it would work for non-SSL connections, but the whole point of SSL is to prevent the sort of MiM connection he is trying to do. For it to work, the proxy would need to talk SSL to the server (no problem), process the non-protected stream internally, and talk SSL to the client. The latter is the problem as the proxy will not be able to sign the connection using a (eg) Google certificate - which is, of course, the whole point of SSL, the client should flash up a big "this site is bogus" warning to the user !

In a corporate environment, with control of the clients, it's possible to install your own root certificate on the clients and then use that to sign the client-side connection. Obviously that won't work with any other clients, and it's a really really bad idea anyway from the security PoV (breaks all client-side verification - eg the "green bar" for banking websites).