NethServer Version: 7.3.1611
Module: ?
I’m using gmail + Thunderbird. Enabled transparent proxy with SSL. But Thunderbird can not connect with Gmail. How to set up a transparent proxy with SSL for IMAP mail work?
NethServer Version: 7.3.1611
Module: ?
I’m using gmail + Thunderbird. Enabled transparent proxy with SSL. But Thunderbird can not connect with Gmail. How to set up a transparent proxy with SSL for IMAP mail work?
Squid transparent proxy is only for HTTP/HTTPS protocol, it doesn’t filter any other protocol.
Thus, enabling the SSL transparent proxy can’t affect IMAP access.
Your problem is somewhere else
If I include just a transparent proxy (without ssl), Gmail + thunderbird works.
Giacomo is right, but @Valeriy please tell me something about the error message.
Proxy schould filter port 443 and 80, imap ssl is 993 and smtp ssl is 465.
Please have a look at squid conf if some of these ports are blocked.
Maybe it’s related to Oauth authentication implemented in Thunderbird to access to Gmail?
https://www.mozilla.org/en-US/thunderbird/38.0.1/releasenotes/
http://www.gialloporpora.netsons.org/come-attivare-oauth2-per-i-vecchi-account-gmail-in-thunderbird/702/ (in italian)
Thunderbird does not show errors. He always tries to connect.
Mail still does not work. What are thoughts?
@Valeriy
Check if your Google account in Thunderbird is configured to use “OAuth2” or “Normal password” authentication:
Tools -> Account Settings -> Your Account (in the left panel) -> Server Settings (in the left panel) -> Authentication Method (in the right panel)
Change “Oauth2” to “Normal password”
Make same thing to smtp settings:
Tools -> Account Settings -> Outgoing Server (SMTP) (in the left panel) -> SMTP server (in the right panel) -> Authentication Method
Change “Oauth2” to “Normal password”
Now try to receive and send mail
If Thunderbird show other errors with a link, go to
https://www.google.com/settings/security/lesssecureapps
and change configuration to permit login of less-secure applications to Google Account.
I do as you wrote, but it does not work. Can I have an instruction with pictures?
@saitobenkei
I didn’t think that the setting in thunderbird are the reason, because @Valeriy says that it works if transparent ssl is disabled.
@Valeriy
Please post your squid.conf and the access.log after thunderbird tried to connect.
I suspect that @Valeriy use Oauth2 authentication in Thunderbird and Oauth2 authentication is the culrpit (maybe use an https connection?)
I tried to configure the gmail account in Thunderbird to use standard authentication (not exotic autentications), so it doesn’t use Oauth2 (and probably https) to authenticate.
Obviously if we found a solution so Oauth2 works with proxy ssl is a good thing
Thanks, I didn’t know that
I think squid.conf and access.log could help anyway.
[details=squid.conf]
# Uncomment this to enable debug[/details]
#debug_options ALL,1 33,2 28,9Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cacheAllow access from green and trusted networks.
acl localnet src 192.168.0.0/24
acl localnet_dst src 192.168.0.0/24Safe ports
acl SSL_ports port 443
acl SSL_ports port 980 # httpd-admin (server-manager)
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 980 # httpd-admin (server-manager)
acl CONNECT method CONNECT20acl_00_portscustom
Allow access from localhost
http_access allow localhost
Deny requests to certain unsafe ports
http_access deny !Safe_ports
Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny managerSkip URL rewriter for local addresses
acl self dst 192.168.0.16
acl self_port port 80
acl self_port port 443
url_rewrite_access deny self localnet self_portNo authentication on green and trusted networks
http_access allow localnet
And finally deny all other access to this proxy
http_access deny all
cache_mem 256 MB
Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-imsAlways enable manual proxy
http_port 3128
Enable transparent proxy
http_port 3129 transparent
Enable SSL transparent proxy
https_port 3130 intercept ssl-bump generate-host-certificates=off cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key sslflags=NO_DEFAULT_CA options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB
acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULLTLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3TLS/SSL bumping steps
ssl_bump peek tls_s1_connect all
ssl_bump splice allpeek at TLS/SSL connect data
splice: no active bumping
Enable squidGuard
url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=5 concurrency=0
url_rewrite_extras “%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=”%ssl::>sni" referer="%{Referer}>h""90options
forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 090squidclamav
ecap_enable on
Bypass scan mime-types
acl bypass_scan_types_req req_mime_type -i ^text/
acl bypass_scan_types_req req_mime_type -i ^application/x-javascript
acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_req req_mime_type -i ^image/
acl bypass_scan_types_req req_mime_type -i ^video
acl bypass_scan_types_req req_mime_type -i ^audio
acl bypass_scan_types_req req_mime_type -i ^application/x-mms-framed.*$acl bypass_scan_types_rep rep_mime_type -i ^text/
acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript
acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_rep rep_mime_type -i ^image/
acl bypass_scan_types_rep rep_mime_type -i ^video
acl bypass_scan_types_rep rep_mime_type -i ^audio
acl bypass_scan_types_rep rep_mime_type -i ^application/x-mms-framed.*$loadable_modules /usr/lib64/ecap_clamav_adapter.so
ecap_service clamav_service_req reqmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off message_size_max=5000000
ecap_service clamav_service_resp respmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on message_size_max=5000000
adaptation_access clamav_service_req allow !bypass_scan_types_req all
adaptation_access clamav_service_resp allow !bypass_scan_types_rep all
P.S.
I can not upload files to the forum.
In the file access.log a lot of text.
Please post the content of the files. Reply to this thread, start your content with a [code] and end it with a [/code].
We don’t need the whole access.log, only the lines during thunderbird tries to connect are important.
If you want access.log with another date- and timeformat (TT.MM.YYYY, HH:MM) try this:
awk ‘{print strftime(“%c”, $1), $0}’ /var/log/squid/access.log
[details=access.log]1491410526.695 125 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- -
1491410526.734 36 192.168.0.10 TCP_MISS/403 2037 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491410526.737 272 192.168.0.10 TCP_TUNNEL/200 3192 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 -
1491410526.853 112 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 -
1491410618.062 97 192.168.0.10 TCP_MISS/503 4695 GET http://autoconfig.gmail.com/mail/config-v1.1.xml? - HIER_NONE/- text/html
1491410618.344 110 192.168.0.10 TCP_REDIRECT/302 467 POST http://clients1.google.com/ocsp - HIER_NONE/- -
1491410618.393 45 192.168.0.10 TCP_MISS/403 2015 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491410618.767 138 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- -
1491410618.817 48 192.168.0.10 TCP_MISS/403 2019 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491410618.820 315 192.168.0.10 TCP_TUNNEL/200 3192 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 -
1491410618.929 106 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 -
1491410667.171 245 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491410667.249 72 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491410727.748 61612 192.168.0.10 TCP_TUNNEL/200 3449 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.27.181.29 -
1491410794.453 176380 192.168.0.10 TCP_TUNNEL/200 5980 CONNECT gmail.com:443 - HIER_DIRECT/216.58.214.197 -
[/details]
Hi Valeriy,
this looks like thunderbird tries to autoconfigure your google-account. Isn’t it configured? If so, try to configure it manually. After that please try if you cand send and receive mails.
Settings for configuration are here.
A list with explanations of the messages in your access.log you find at this site
Screenshots of configuring it manually:
There are the screenshots of Thunderbird where if you have to modify the accounts if you already have the account created (see my previous post)
Remember if you have an popup of an authentication error with a link to google to go here https://www.google.com/settings/security/lesssecureapps and activate the less-secure applications authentication.
I do as in the photo. But password verification lasts forever and does not end.
acccess.log
118 192.168.0.10 TCP_REDIRECT/302 467 POST http://clients1.google.com/ocsp - HIER_NONE/- -
1491765332.796 122 192.168.0.10 TCP_MISS/403 2015 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765333.212 331 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 -
1491765333.304 124 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- -
1491765333.344 35 192.168.0.10 TCP_MISS/403 2019 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765341.374 209 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491765341.423 43 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765341.728 303 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491765341.783 51 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765342.809 202 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491765342.872 59 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765403.984 61848 192.168.0.10 TCP_TUNNEL/200 6022 CONNECT versioncheck-bg.addons.mozilla.org:443 - HIER_DIRECT/54.187.193.33 -
1491765457.392 116691 192.168.0.10 TCP_TUNNEL/200 7903 CONNECT services.addons.mozilla.org:443 - HIER_DIRECT/52.26.140.68 -
1491765461.589 175 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT blocklists.settings.services.mozilla.com:443 - HIER_DIRECT/146.185.191.188 -
I found out the reason. First you need to enter the mail using Oauth2. (You will see a page confirming the password from gmail). After the settings are received, you must manually change Oauth2 to a normal password.
If you immediately put the normal password, the gmail confirmation page does not appear and the configuration process (password check) does not end.
That’s great, that you solved your problem. Can you mark this thread as solved please.