Migrating Unencrypted IMAP Mail to Google Apps

We were recently tasked with migrating a customer from RM’s EasyMail service over to the Gmail service that is included with Google Apps for Education. If your mail service is relatively modern and supports IMAP over SSL/TLS then you will find that this process is relatively straightforward using Google’s built-in tools. However, if your current email service does not support encrypted communication between the server and clients, you will be unable to migrate using the default toolset. Google insists (for good reason) that all traffic related to the Data Migration Service is encrypted using TLS (https://support.google.com/a/answer/6003165#ssl). If you have no control over the legacy mail system, you may think that you’re out of luck when it comes to getting your mail into Google Apps. There are a host of clunky workarounds available such as downloading via POP or setting up the old and new IMAP accounts in something like Thunderbird and manually dragging and dropping messages between old and new accounts. In my eyes that’s not a solution, rather something to try when everything else has failed.

Fortunately, I’d come across IMAP proxying in the past and was pretty sure that it could help out in this instance. The general idea is very straightforward and will be familiar if you’ve dealt with web servers and reverse proxies in the past. The IMAP proxy sits between the actual email server and the IMAP client (the Google Apps migration service, in this case) and proxies traffic between the two. The setup is often implemented in order to speed up webmail clients, but I wanted to see if I could get Google to connect to an IMAP proxy using TLS, which would then forward the traffic to the EasyMail server over plain old unencrypted IMAP. I’m happy to report that it all worked as expected and I thought I’d post some notes here for those of you that might encounter a similar situation.

Ingredients

Gather up the following tools and install them:

• Xcode
• MacPorts

You will also need a proper SSL certificate and a Mac accessible to the outside world on port 993.

Using MacPorts, install nginx with the mail flag:

# /opt/local/bin/port install nginx +mail

Method

You’ll now need to create a config file. After much tweaking, below is what I found to work for me. There is a comprehensive guide available on the nginx website – https://www.nginx.com/resources/admin-guide/mail-proxy/

worker_processes 1;
events {
 worker_connections 1024;
}
mail {
 auth_http localhost:80/auth.php;
 proxy on;
 ssl on;
 ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1 SSLv3;
 ssl_ciphers HIGH:!ADH:!MD5:@STRENGTH;
 ssl_session_cache shared:TLSSL:16m;
 ssl_session_timeout 10m;
 ssl_certificate ssl/server.example.com.bundle.crt;
 ssl_certificate_key ssl/server.example.com.key;
 imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LOGIN-REFERRALS"
  "NAMESPACE" "QUOTA" "CHILDREN" ;
 server {
 listen 993;
 protocol imap;
 server_name server.example.com;
 proxy_pass_error_message on;
 }
}

Passing nginx the -t flag will cause it to test the config file and check to see if you’ve been caught out by smart quotes…

# /opt/local/sbin/nginx -t
nginx: the configuration file /opt/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /opt/local/etc/nginx/nginx.conf test is successful

If all of that is working, it’s time to build an authentication system which tells the nginx proxy whether or not the credentials that are being submitted by your IMAP client (Google) is valid for the backend mail server(s). As this is just for the purpose of migration and won’t be used in day-to-day use, I don’t need to worry about proper authentication logic in order to reduce load on the email servers, I’ll just modify the template php script from the nginx website so that it always returns true for any attempted authentication attempt. Edit the script and host it on any webserver that’s got php enabled. I used the same Mac server on which I was running nginx.

Bits I changed:

// name and IP of EasyMail server - itself an IMAP proxy!
$backend_ip["easymail"] ="194.238.55.2";

// if in_array(substr($user,0,1), array("a", "c", "f", "g")){
// return "mailhost01";
// } else {
// return "mailhost02";
// we don't care, just always return the one and only easymail IP, no matter what
 return "easymail";
// }
}

If all has gone well you should be able to test the setup using an IMAP client like Apple Mail. Try configuring it to use the FQDN that your SSL cert is protecting and ensure that connections over SSL are enabled. If all goes well it should connect to your nginx reverse IMAP proxy over port 993 which then connects to the IMAP server specified in the above php file. In RM’s case the IMAP server is actually another IMAP proxy so that then has the job of connecting to the one of, presumably, many actual mail servers that are doing the job of hosting customer email.

If that all goes well and you can see valid email and have not received any SSL errors, try entering the details into the Google Apps Migration Service settings and see what happens.

Please let us know how you get on and, of course, if you need assistance with anything relating to Google Apps, get in touch!