I know that nobody should use Microsoft Exchange 2003 anymore. But there are still some 2003s out there. I wanted to create a reverse-proxy for such an exchange-server on linux to have at least a better encryption, when some problems appeared:
MS RPC over HTTP breaks the HTTP-Standard
I tried to create a reverse-proxy using apache2. Since Microsofts’s RPC-OVER-HTTP breakes the HTTP-Standard(which would make a webserver more insecure), apache does not support it. Other services like Outlook-Webaccess work, even with apache2.
HAProxy
Haproxy is a nice proxy which runs perfectly under linux.
This is my haproxy.cfg:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
# option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend exchange-ssl
mode tcp
bind 192.168.24.4:9443 ssl crt /etc/ssl/webmail/haproxy.pem
reqadd X-Forwarded-Proto:\ https
option tcplog
default_backend exchange_backend
backend exchange_backend
mode tcp
server server1 192.168.0.6:443 maxconn 1024 check ssl verify none
stick on src
stick-table type ip size 10240k expire 240m
option httpchk HEAD / HTTP/1.0
option redispatch
option abortonclose
option httpclose
option forwardfor
cookie JSESSIONID prefix
frontend rpc-front
bind :135,:60200,:60201
mode tcp
maxconn 40000
default_backend rpc-server
backend rcp-server
stick-table type ip size 10240k expire 60m
stick on src
option redispatch
option abortonclose
balance leastconn
server EXCH01 192.168.0.6 weight 1 check port 135 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions
Exchange Registry
Even with haproxy, it didn't work. It was pretty difficult to find the cause, but in the end I found it. I just changed the right registry key on the exchange-server:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
"Enabled"=dword:00000001
"ValidPorts"=mailsrv:6001-6002;mailsrv.example.local:6001-6002;mailsrv:6004;mailsrv.example.local:6004"
I just had to add my full-qualified-domain-name of the mailservers public domain here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
"Enabled"=dword:00000001
"ValidPorts"=webmail.example.com:6001-6002;mailsrv:6001-6002;mailsrv.example.local:6001-6002;mailsrv:6004;mailsrv.example.local:6004;webmail.example.com:6004"
