External IMAP or POP3 access through AD and LEA ISP

[contink]

Not sure how to solve this one but in a nutshell as a contractor I have all my email accounts external to the LEA's email system and need access.

Webmail is all well and good but I'm on site so often now that IMAP access would help reduce a lot waiting around.

My problem is that I can't seem to access my mail at all using Outlook, Opera, etc... it just fails to connect...

A quick call to SchoolsICT got me someone who sounded about 12 and who denied any blocking or a clue as to what might be causing the problem but I suspect it's the proxy and a need to tunnel (of which I have nada/zip/zero experience) so can anyone thwap me with the appropriate clue stick and offer some possible solutions.

Cheers...


FYI: the mail servers are *nix based

[Geoff]

Tunnel over https? That'd give you a clean connection with no filtering (thus fixing your imap problem)?

You need a machine out on the internet someplace running SSH on port 443.
Then follow the instructions here:

http://www.uq.edu.au/~suter/software/ssh-https-tunnel/

Then setup a ssh port forward to whatever service (IMAP) and IP (the mail server) you want access to.

http://www.ssh.com/support/documenta...orwarding.html

[contink]

Thanks for that Geoff,

Unfortunately there's no ability to use HTTPS over this network because of the $%&*£%ing restrictive firewall they have in place with Vital (counting down the days).

Course the 12 year old denied it existed whilst a second call out of desperation clarified that 12 year old was indeed clueless... everything except port 80 is completely blocked... wonderbubble.

Anyway, still useful information nonetheless and much appreciated.

[Geoff]

I'm impressed. Most people don't bother plugging the hillarious security hole that is HTTPS.

[plexer]

It might be a hilarious securty hole but how do people access https sites if the port is blocked?

Ben

[Geoff]

They don't and hopefully they shouldn't have any reason to.

[plexer]

I use several https sites and would be gutted if I couldn't access them.

Ben

[CyberNerd]

sorry, I'm confused - Isn't it a security hole *not* to open https. forcing people to use http just makes it easy for sniffers -given most users use the same passwords for all accounts...

[Geoff]

If you allow HTTPS, you've given enterprising folk a way to bypass all your firewall rules and filtering systems. They can run nearly any application over a SSH tunnel.

For trouble free WoW at work (all though a touch laggier than usual), my favorite would be VPN software.

If you desperatly need HTTPS for <insert site> You could open it up on an ip block by ip block basis. You can either do this on your firewall, or on your proxy (at least Squid can, not sure about ISA).

[contink]

Fair point the HTTPS block makes sense but what I find a bit interesting is that they can't open up IPs in general... only specific FULL domain names...

I was asked for the full domain for a mail server (eg: mail.foo.com) so access to anything else is impossible... Granted this could abused but FFS I'm the tech on site so a little professional courtesy would certainly be applicable.


As to VPN... one of the reasons Vital online are being given the boot is that they refused point blank to even return ANY communication on opening VPN ports from any validated static IP address... by which I mean they didn't return 20+ calls, emails, etc from me, the head or anyone else in the school...

No reason given, no resonse, nothing... but heck this is turning into a rant so I need to chill :P...

Bottom line though... the current system is prohibitive beyond paranoia and just detrimental to getting anything done... Looking forward to being able to setup our own Smoothwall Guardian style system instead!

[Geoff]

but what I find a bit interesting is that they can't open up IPs in general... only specific FULL domain names

I guess they are running it through their proxy then. To be fair, you can do this with squid using a 'dstdomain' ACL match. eg.

Code:

acl https method CONNECT
acl googlemail_https dstdomain mail.google.com

(rest of acls go here)

http_access allow https googlemail_https
http_access deny https

(normal http access rules go here)

Which is perhaps a little neater than IPs or netblocks. However I suggested that originally because there is zero point in running HTTPS through your web proxy. It can't cache it. It can't filter it. It just blindly passes it on. You might as well just send it straight out on port 443 over the firewall and use your firewall rules to keep control of it. naturally, this means you can't do DNS lookups and have to rely on IPs. Which really isn't a big deal. Most web server farms are on the same subnet.