NethServer Version: 7.3.1611
Module: ?

I’m using gmail + Thunderbird. Enabled transparent proxy with SSL. But Thunderbird can not connect with Gmail. How to set up a transparent proxy with SSL for IMAP mail work?

Squid transparent proxy is only for HTTP/HTTPS protocol, it doesn’t filter any other protocol.

Thus, enabling the SSL transparent proxy can’t affect IMAP access.
Your problem is somewhere else

If I include just a transparent proxy (without ssl), Gmail + thunderbird works.

Giacomo is right, but @Valeriy please tell me something about the error message.
Proxy schould filter port 443 and 80, imap ssl is 993 and smtp ssl is 465.
Please have a look at squid conf if some of these ports are blocked.

Maybe it’s related to Oauth authentication implemented in Thunderbird to access to Gmail?

https://www.mozilla.org/en-US/thunderbird/38.0.1/releasenotes/

http://www.gialloporpora.netsons.org/come-attivare-oauth2-per-i-vecchi-account-gmail-in-thunderbird/702/ (in italian)

Thunderbird does not show errors. He always tries to connect.

Mail still does not work. What are thoughts?

@Valeriy
Check if your Google account in Thunderbird is configured to use “OAuth2” or “Normal password” authentication:

Tools -> Account Settings -> Your Account (in the left panel) -> Server Settings (in the left panel) -> Authentication Method (in the right panel)

Change “Oauth2” to “Normal password”

Make same thing to smtp settings:

Tools -> Account Settings -> Outgoing Server (SMTP) (in the left panel) -> SMTP server (in the right panel) -> Authentication Method

Change “Oauth2” to “Normal password”

Now try to receive and send mail

If Thunderbird show other errors with a link, go to
https://www.google.com/settings/security/lesssecureapps
and change configuration to permit login of less-secure applications to Google Account.

I do as you wrote, but it does not work. Can I have an instruction with pictures?

@saitobenkei
I didn’t think that the setting in thunderbird are the reason, because @Valeriy says that it works if transparent ssl is disabled.

@Valeriy
Please post your squid.conf and the access.log after thunderbird tried to connect.

@m.traeumner

I suspect that @Valeriy use Oauth2 authentication in Thunderbird and Oauth2 authentication is the culrpit (maybe use an https connection?)

I tried to configure the gmail account in Thunderbird to use standard authentication (not exotic autentications), so it doesn’t use Oauth2 (and probably https) to authenticate.

Obviously if we found a solution so Oauth2 works with proxy ssl is a good thing

Thanks, I didn’t know that
I think squid.conf and access.log could help anyway.

[details=squid.conf]

# Uncomment this to enable debug

#debug_options ALL,1 33,2 28,9
Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"

no_cache deny no_cache
Allow access from green and trusted networks.
acl localnet src 192.168.0.0/24

acl localnet_dst src 192.168.0.0/24
Safe ports
acl SSL_ports port 443

acl SSL_ports port 980		# httpd-admin (server-manager)

acl Safe_ports port 80		# http

acl Safe_ports port 21		# ftp

acl Safe_ports port 443		# https

acl Safe_ports port 70		# gopher

acl Safe_ports port 210		# wais

acl Safe_ports port 1025-65535	# unregistered ports

acl Safe_ports port 280		# http-mgmt

acl Safe_ports port 488		# gss-http

acl Safe_ports port 591		# filemaker

acl Safe_ports port 777		# multiling http

acl Safe_ports port 980		# httpd-admin (server-manager)

acl CONNECT method CONNECT

20acl_00_portscustom

Allow access from localhost
http_access allow localhost
Deny requests to certain unsafe ports
http_access deny !Safe_ports
Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
Only allow cachemgr access from localhost
http_access allow localhost manager

http_access deny manager

Skip URL rewriter for local addresses

acl self dst 192.168.0.16

acl self_port port 80

acl self_port port 443

url_rewrite_access deny self localnet  self_port
No authentication on green and trusted networks
http_access allow localnet
And finally deny all other access to this proxy
http_access deny all
cache_mem 256 MB
Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:		1440	20%	10080

refresh_pattern ^gopher:	1440	0%	1440

refresh_pattern -i (/cgi-bin/|?) 0	0%	0

refresh_pattern .		0	20%	4320

refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims
Always enable manual proxy
http_port 3128
Enable transparent proxy
http_port 3129 transparent
Enable SSL transparent proxy
https_port 3130 intercept ssl-bump generate-host-certificates=off cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key sslflags=NO_DEFAULT_CA options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB

acl https_proto proto https

always_direct allow https_proto

ssl_bump none localhost

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression

sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3
TLS/SSL bumping steps
ssl_bump peek tls_s1_connect all

ssl_bump splice all
peek at TLS/SSL connect data
splice: no active bumping
Enable squidGuard
url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid

url_rewrite_children 20 startup=5 idle=5 concurrency=0

url_rewrite_extras “%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=”%ssl::>sni" referer="%{Referer}>h""

90options

forward_max_tries 25

shutdown_lifetime 1 seconds

buffered_logs on

max_filedesc 16384

logfile_rotate 0

90squidclamav

ecap_enable on
Bypass scan mime-types
acl bypass_scan_types_req req_mime_type -i ^text/

acl bypass_scan_types_req req_mime_type -i ^application/x-javascript

acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash

acl bypass_scan_types_req req_mime_type -i ^image/

acl bypass_scan_types_req req_mime_type -i ^video

acl bypass_scan_types_req req_mime_type -i ^audio

acl bypass_scan_types_req req_mime_type -i ^application/x-mms-framed.*$
acl bypass_scan_types_rep rep_mime_type -i ^text/

acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript

acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash

acl bypass_scan_types_rep rep_mime_type -i ^image/

acl bypass_scan_types_rep rep_mime_type -i ^video

acl bypass_scan_types_rep rep_mime_type -i ^audio

acl bypass_scan_types_rep rep_mime_type -i ^application/x-mms-framed.*$
loadable_modules /usr/lib64/ecap_clamav_adapter.so

ecap_service clamav_service_req reqmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off message_size_max=5000000

ecap_service clamav_service_resp respmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on message_size_max=5000000

adaptation_access clamav_service_req allow !bypass_scan_types_req all

adaptation_access clamav_service_resp allow !bypass_scan_types_rep all

P.S.
I can not upload files to the forum.
In the file access.log a lot of text.

Please post the content of the files. Reply to this thread, start your content with a [code] and end it with a [/code].

We don’t need the whole access.log, only the lines during thunderbird tries to connect are important.
If you want access.log with another date- and timeformat (TT.MM.YYYY, HH:MM) try this:

awk ‘{print strftime(“%c”, $1), $0}’ /var/log/squid/access.log

[details=access.log]1491410526.695 125 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- - 1491410526.734 36 192.168.0.10 TCP_MISS/403 2037 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410526.737 272 192.168.0.10 TCP_TUNNEL/200 3192 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410526.853 112 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410618.062 97 192.168.0.10 TCP_MISS/503 4695 GET http://autoconfig.gmail.com/mail/config-v1.1.xml? - HIER_NONE/- text/html 1491410618.344 110 192.168.0.10 TCP_REDIRECT/302 467 POST http://clients1.google.com/ocsp - HIER_NONE/- - 1491410618.393 45 192.168.0.10 TCP_MISS/403 2015 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410618.767 138 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- - 1491410618.817 48 192.168.0.10 TCP_MISS/403 2019 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410618.820 315 192.168.0.10 TCP_TUNNEL/200 3192 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410618.929 106 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410667.171 245 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- - 1491410667.249 72 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410727.748 61612 192.168.0.10 TCP_TUNNEL/200 3449 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.27.181.29 - 1491410794.453 176380 192.168.0.10 TCP_TUNNEL/200 5980 CONNECT gmail.com:443 - HIER_DIRECT/216.58.214.197 -[/details]

Hi Valeriy,
this looks like thunderbird tries to autoconfigure your google-account. Isn’t it configured? If so, try to configure it manually. After that please try if you cand send and receive mails.
Settings for configuration are here.
A list with explanations of the messages in your access.log you find at this site

Screenshots of configuring it manually:

manual_config_tb.jpg698×453 53.5 KB

manual_config_tb2.jpg883×453 66.9 KB

There are the screenshots of Thunderbird where if you have to modify the accounts if you already have the account created (see my previous post)

account-01.jpg687×703 90.1 KB

account-02.jpg682×698 68.9 KB

Remember if you have an popup of an authentication error with a link to google to go here https://www.google.com/settings/security/lesssecureapps and activate the less-secure applications authentication.

I do as in the photo. But password verification lasts forever and does not end.
acccess.log

I found out the reason. First you need to enter the mail using Oauth2. (You will see a page confirming the password from gmail). After the settings are received, you must manually change Oauth2 to a normal password.

If you immediately put the normal password, the gmail confirmation page does not appear and the configuration process (password check) does not end.

That’s great, that you solved your problem. Can you mark this thread as solved please.