How to set a reverse proxy for Gmail SMTP/IMAP

After searching on the Internet for 20+ hours, I found almost nothing about how to set up a reverse proxy for Gmail SMTP/IMAP servers. Why I need this reverse proxy? I think you should ask the “People’s” governement of China about why they set the Great Fire Wall.

Finally, I find some clues that guide me to the final solutions.

Solution 1: Stunnel + Xinetd

What you need:

1. A VPS outside China

2. Linux with Openssl installed

3. Stunnel / Xinetd

The whole idea of the reverse proxy is like this:

For IMAP requests, the VPS will redirect them to imap.gmail.com

For SMTP requests, they will be secured by Stunnel first (Listen to port 465, redirect to another port such as 1988), then redirected to Xinetd (Listen to the “export” port of Stunnel, which I use port 1988 here), then to Gmail through Openssl (Send all request to Gmail SMTP via port 465). [Client ->(Port 465) Stunnel ->(Port 1988) Xinetd -> Openssl (Port 465 to Gmail SMTP)]

Step 1: Install and configure Stunnel

apt-get update
apt-get upgrade
apt-get install stunnel4 -y

Stunnel configures itself using a file named “stunnel.conf” which by default is located in “/etc/stunnel”. Create a “stunnel.conf” file in the “/etc/stunnel” directory:

nano /etc/stunnel/stunnel.conf

#Copy the code below to the conf file:

[ssmtp]
accept = 465
connect = localhost:1988
cert = /etc/stunnel/stunnel.pem
CApath = /usr/share/ca-certificates/

Step 2: Get a certificate for Stunnel with Openssl

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Step 3: Install and configure Xinetd

sudo apt-get install xinetd

nano /etc/xinetd.d/gmail

#copy the code below into the file:

service smtp
{
disable = no
bind = 0.0.0.0
port = 1988
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/gmail-smtp
type = unlisted
}
service imap-993
{
type = UNLISTED
port = 993
bind = 0.0.0.0
socket_type = stream
wait = no
user = nobody
redirect = imap.gmail.com 993
per_source = UNLIMITED
cps = 100 2
}
service imap-585
{
type = UNLISTED
port = 585
bind = 0.0.0.0
socket_type = stream
wait = no
user = nobody
redirect = imap.gmail.com 585
per_source = UNLIMITED
cps = 100 2
}

Then, create a sh script as the Openssl “Server” to help communicate between your VPS and the Gmail SMTP server.

nano /usr/bin/gmail-smtp

#copy the code below into the file:

#!/bin/sh
/usr/bin/openssl s_client -connect smtp.gmail.com:465 -quiet 2>/dev/null

Remember to change the permission of the file:

chmod +x /usr/bin/gmail-smtp

Step 4: Restart Xinetd and Stunnel

/etc/init.d/xinetd restart
/etc/init.d/stunnel4 restart
stunnel

Now, if everything goes well you will find the following records when checking the ports in use:

sudo netstat -lptu

#records to be found:

tcp 0 0 *:1988 *:* LISTEN 27863/xinetd
tcp 0 0 *:585 *:* LISTEN 27863/xinetd
tcp 0 0 *:urd *:* LISTEN 30147/stunnel
tcp 0 0 *:imaps *:* LISTEN 27863/xinetd

Congratulations, you can now use your VPS as a reverse proxy for the Gmail SMTP/IMAP servers.

 

Related posts can be found here:

How To Set Up an SSL Tunnel Using Stunnel on Ubuntu

HowTo: make XSane and Gmail play nice

Setup nullmailer on Ubuntu using your Gmail account as SMTP

Tunneling POP3/SMTP to Gmail SSL POP3S/SMTPS using Xinetd on Linux

Testing Gmail SMTP Server Using OpenSSL

Stunnel: Unix Config

If you just want to set up a recerse proxy for IMAP server, you can refer to another solution that uses Imapproxy+Perdition:

Gmail IMAP Proxy/Cache – Imapproxy+Perdition

 

Solution 2: SNI Proxy

This solution is relatively simple. However, it seems the SNI Proxy cannot run multi-workers (For SMTP/IMAP at the same time). It has another disadvantage when compared with the first solution: as a transparent proxy, it will use the certificates from the Google server, certificates not issued to the proxy server. This discrepancy will lead to an UNTRUST notification on the screen of users.

$sudo apt-get install slt

$nano imap.gmail.yaml

#copy the code below into the yaml file

bind_addr: ":993"

frontends:
 imap.gmail.com:
 backends:
 -
 addr: "imap.gmail.com:993"

$sudo nohup slt imap.gmail.yaml >imap.log &

Reference posts:

VPS 教程系列:Dnsmasq + DNSCrypt + SNI Proxy 顺畅访问 Google 配置教程

代理 gmail 的 smtp 和 imap 一个方法

https://github.com/inconshreveable/slt

https://github.com/dlundquist/sniproxy

 

Solution 3: SOCAT

SOCAT is even simpler than SNI Proxy, but it will also bring discrepancy in certificates.

$apt-get -y install socat
$socat TCP-LISTEN:465,fork TCP:smtp.gmail.com:465
$socat TCP-LISTEN:993,fork TCP:imap.gmail.com:993

Reference posts:

SOCAT 简介

Socat Examples

Socat: A very powerful networking tool

Some Useful Socat Commands

Socat man page