Hello Bartlomiej,
Am 18.01.2012 17:28, schrieb Bartłomiej Kluska:
I think I'm getting it. SOGo or "Exchange" server must be able to communicate with the
client (eg Outlook) in order to "push" to it new emails, events etc.
In Internet, users rarely have public IP assigned to their computers and in
case of NAT the SOGo server is not able to push anything to the client because
it doesn't have the direct IP communication.
Outlook anywhere solves it by creating some kind of VPN between Outlook and the
server.
Am I more or less right with this?
If yes, I assume that in this rare case when my notebook would have assigned a
public Internet IP, I would be able to connect my Outlook to the
Internet-exposed SOGo server and synchronize it (as with Exchange) but it would
by simply very unsecure, right?
Not completly correct....
Normal communication between exchange and outlook is done via TCP Port
135 in a completly unencrypted way.
So anyone can read/interfere the whole mails/events/contacts etc.
In private networks this is not so much a issue (but one could still
capture data with whireshark etc.)
But as soon as your outlook client is connecting to your "Exchange/Sogo"
server via Internet,
then plenty of others might be able to:
a) Read the unencrypted traffic
b) Do some unwanted things to your server on port 135
To prevent this, with Outlook 2003 and Windows XP SP2? MS did introduce
the possibility to tunnel
the traffic between exchange and outlook in a https tunnel.
Thats what rpc-over-https means, and in previous outlook versions it was
named that way,
now they call it outlook anywhere, but it's basically the same.
For sogo this means:
- You could safely use sogo+outlook in your corporate network.
- When you wish to connect to your corporate sogo server from the
internet, then you will either have to open that port (tcp 135) or use
some tunnel/vpn software, since samba4 is currently lacking the
rpc-over-https feature.
- If you wish to host your sogo server on a "public" server, then your
only hope for safety is to use a tunnel/vpn until rpc-over-https is
implemented in samba4 and sogo (Personally I fear it will not be
available this year)
André
--
users@sogo.nu
https://inverse.ca/sogo/lists
