Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently sitting behind a proxy server with http going out through port 8080 on the proxy.
My problem is that all my email clients are trying to go out directly to the internet and are obviously failing. How can I get the email clients to route their SMTP and POP request through port 8080 on the proxy server?
Most HTTP proxies support CONNECT for SSL, but I've never seen a mail client that has support for that built in. Can you use SSH to tunnel out past it?
I'm not using ssl for my mail, though https still works as normal.
My problem is essentially that none of the mail apps seem to have a proxy configuration utility.
I wasn't suggesting that you were. CONNECT is the method that the proxy uses to proxy https (which is SSL) connections.
You may have to have do something tricky to make this work. If I (or someone else) don't think of something soon I'll write a script to do it for you, just to see if I can
Well there is an option in thunderbird to connect to the mail server using ssl, but this uses port 968 or something.
Somehow, I don't think any email client is going to support tunnelling its requests through a proxy on port 8080.
If the administrator opened up ports 25 and 110, would I then be able to connect OK?
Do you think I could get on my knees and beg for these ports to be opened. Not that its such an unreasonable request though.
You might just ask the administrator the simplest question, "Is there a way I can send email out on your network?" There may already be a solution implimented or (s)he may not be as defensive about you asking for email to work then if you start requesting ports be opened by number. It may also be possible that you can ask your boss (I assume this is at a place of work) if it's OK to send email out on the network, just ask the admin first and if you do talk to the boss have some tact not to step on any toes. There may be a compelling reason why it's not allowed now, such as they want you to use another solution such as their email implimentation or that they had problems in the past.
Your admin will not allow 25 and 110.
In fact, this is blocked in all network worldwide.
One simple reason is that, any email/download/attachement/file that comes thru this will land directly to the email client in your your machine, means that its easy to send in a portscanner/worm/malware directly to your machine through email atachments and then bring down the entire network. If its through a mail server then, they can block all these outside the firewall or atleast in the DMZ and protect the internal network.
If anybody knows a way to use SSH to tunnel smtp/imap thru HTTP, please enlighten us.
as anad_kt stated, no sysadmin in his right mind will allow uncontrolled smtp, pop or imap to go through his/her gateway.
The way you describe your network proxy, it looks like a web proxy : these (like squid) are not designed to proxy other protocols. T For that purpose, multi-protocol proxies are needed, like DeleGate (www.delegate.org/delegate). They do not offer the degree of control on web access that web-dedicated proxies do, however, so that both kinds may be in use in the same network (and possibly the same gateway).
Usually email services is centralized on one server, which has the privilege of being allowed to forward smtp and fetch pop or imap through the firewall. In that case, another solution to allow outgoing smtp traffic is to let the mail server relay from workstations inside the LAN : as the mail must go through one server, the hole punched through the firewall remains small and fairly controllable.
1) You are trying to use POP/IMAP to download mails from totally open/untrusted networks(Mail servers)(like gmail)
2) You are trying to fetch mails using POP/IMAP from a mail server that is again located outside your network but not a total foriegn network... like a client network or something which you can trust.
Second case, you can set rules in the firewall to accept 25/110 from only that trusted IP. This is totally acceptable in respect to security aspects, but again sys admin's dont make the company's policies and there is absolutely no chance that you company will be ready to trust another company's network from ethical(non-security-related) point of view.
First case, I have heard that tunneling IMAP in SSL connections is a good solution, I would like to hear more on that, I hope someone posts something about it soon... other than that, this thread has no scope for any further discussion.
I love it when people talk about things they don't know anything about ... I'm all for trying to help, but if you don't know how something works, don't talk about it. You only confuse the OP further
HTTP proxies are able to proxy any simple one port protocol if the client application knows how to use a proxy. They use the same method that they do to proxy https connections. The proxy doesn't see *anything* about a https connection other than the client and server addresses ... Here's some "cheap hack" python code I whipped up to prove my point.
Code:
#!/usr/bin/env python
# No data validation or elegant program tricks ... What do you want for free and 5 minutes? :)
import socket, sys
proxyAddr = sys.argv[1]
proxyPort = int(sys.argv[2])
remoteAddr = sys.argv[3]
remotePort = int(sys.argv[4])
localhostPort = int(sys.argv[5])
pSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
pSock.connect((proxyAddr, proxyPort))
pSock.send("CONNECT %s:%s HTTP/1.0\r\n\r\n" % (remoteAddr, remotePort))
sSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sSock.bind(('localhost', localhostPort))
sSock.listen(1)
(cliSock, cliAddr) = sSock.accept()
print "Accepted connection from %s" % str(cliAddr)
while(cliSock):
cliSock.send(pSock.recv(1024))
pSock.send(cliSock.recv(1024))
pSock.close()
sSock.close()
This will allow you to proxy anything through a HTTP proxy that will CONNECT to arbritrary ports out on the net.
Having said that, any admin worth his salt will have the ports that the HTTP proxy can connect to limited to 20, 21, 80, 443 and *maybe* 8080, so this may or may not work, depending on your admin.
Edit: In case it isn't obvious -- Run this like script.py <proxyIP> <proxyPort> <RemoteIP> <RemotePort> <PortToBindToOnLocaltost> and then point your proxy unaware program at localhost:<PortToBindToOnLocalhost>
Incidentally, anyone who trusts the security of their client (internal) machines exclusively to their firewall/proxy has a *very* small view of the security profession and should either wise up or find another career ...
Seriously though, I get it. I can't get in contact with my old email server from behind a locked down proxy without using some sort of relay proxy or something. This really isn't a preferab;e option. I like my old mail service provider though. it wasn't gmail, or something like that. It was my old ISP. Good service too.
I found out they have a (unsecured) web interface for the mail. Not the most elegent option, but it's the best I can do for now. I guess I can try forwarding my mails to my new account?
It's strange. i would have thought that lots of people have come up against this problem before. I guess it just hasn't iched a programmer enough yet ;E
--PS--
Head's up. Dispite being less than three days old, googling 'email behind proxy' brings up this thread. I'm scared. I guess noone really has encountered this problem much.
Last edited by Exasperated; 02-11-2005 at 09:48 PM.
Wait! I just found out that my ISPs servers DO support ssl?
Could this mean that I may be able to tunnel through the proxy to my mail server using a secure connection?
I did try the script, but it seems the server was having none of it. i couldn't make the connection.
Have you just tried using your ISP's mail relay instead of connecting directly to the recipeint MTA? That could work, you know... have you tried connecting to the proxy server on port 25? To clarify, not the proxy server process, but the IP of the proxy... If it's listening, try and send yourself an email to a gmail account or something so you can check for delivery over the web. you might be lucky
how do all the other customers of this ISP send email??????? Have you even approached them about it?
Last edited by angrybeaver; 02-12-2005 at 05:44 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.