Mail Client --> intermediate host --> stunnel (?) --> imaps server

[Matt Morgan]

We're trying to set up a connection to an internal IMAPS server from
external (public Internet) mail clients. We already have IMAPS working
so we'd like to stick to using that for the encryption. But we don't
want to open direct connections from the outside, through the
firewall, to this server.

So the idea is to use an intermediate server (in this case, it's a
Fedora machine on a DMZ). This machine, which is our SquirrelMail
server, already uses stunnel 4.05 to connect to IMAP on the internal
server (in this case, encryption is not necessary since it's all a
private network).

We have succeeded in connecting from the outside clients, through the
intermediary, and over the stunnel to the IMAPS server, but only using
IMAP, not IMAPS. As far as we can tell, this is because the SSL
certificate is not forwarded over the stunnel. I /think/, after
reading more about stunnel, that this is expected--stunnel can only
handle negotiated SSL for specific protocols, using the "protocol"
option in the stunnel.conf.

Am I right that stunnel won't work this way? If so, what do I really
want to be doing, in order to get this to work? Squid? Basically, we
just want a way to route the entire IMAPS connection through the
intermediary server on the DMZ.

I'll also gladly entertain commentary on this question: is what I'm
trying to do--forwarding traffic through the intermediary
server--actually more secure than just opening IMAPS from the outside
to the inside?

Thanks,
Matt