Gmail + thunderbird SOLVED

v7
mail
proxy

(Valeriy) #1

NethServer Version: 7.3.1611
Module: ?

I’m using gmail + Thunderbird. Enabled transparent proxy with SSL. But Thunderbird can not connect with Gmail. How to set up a transparent proxy with SSL for IMAP mail work?


(Giacomo Sanchietti) #2

Squid transparent proxy is only for HTTP/HTTPS protocol, it doesn’t filter any other protocol.

Thus, enabling the SSL transparent proxy can’t affect IMAP access.
Your problem is somewhere else :slight_smile:


(Valeriy) #3

If I include just a transparent proxy (without ssl), Gmail + thunderbird works.


(Michael Träumner) #4

Giacomo is right, but @Valeriy please tell me something about the error message.
Proxy schould filter port 443 and 80, imap ssl is 993 and smtp ssl is 465.
Please have a look at squid conf if some of these ports are blocked.


(Saito Benkei) #5

Maybe it’s related to Oauth authentication implemented in Thunderbird to access to Gmail?

https://www.mozilla.org/en-US/thunderbird/38.0.1/releasenotes/

http://www.gialloporpora.netsons.org/come-attivare-oauth2-per-i-vecchi-account-gmail-in-thunderbird/702/ (in italian)


(Valeriy) #6

Thunderbird does not show errors. He always tries to connect.


(Valeriy) #7

Mail still does not work. What are thoughts?


(Saito Benkei) #8

@Valeriy
Check if your Google account in Thunderbird is configured to use “OAuth2” or “Normal password” authentication:

Tools -> Account Settings -> Your Account (in the left panel) -> Server Settings (in the left panel) -> Authentication Method (in the right panel)

Change “Oauth2” to “Normal password”

Make same thing to smtp settings:

Tools -> Account Settings -> Outgoing Server (SMTP) (in the left panel) -> SMTP server (in the right panel) -> Authentication Method

Change “Oauth2” to “Normal password”

Now try to receive and send mail

If Thunderbird show other errors with a link, go to
https://www.google.com/settings/security/lesssecureapps
and change configuration to permit login of less-secure applications to Google Account.


(Valeriy) #9

I do as you wrote, but it does not work. Can I have an instruction with pictures?


(Michael Träumner) #10

@saitobenkei
I didn’t think that the setting in thunderbird are the reason, because @Valeriy says that it works if transparent ssl is disabled.

@Valeriy
Please post your squid.conf and the access.log after thunderbird tried to connect.


(Saito Benkei) #11

@m.traeumner

I suspect that @Valeriy use Oauth2 authentication in Thunderbird and Oauth2 authentication is the culrpit (maybe use an https connection?)

I tried to configure the gmail account in Thunderbird to use standard authentication (not exotic autentications), so it doesn’t use Oauth2 (and probably https) to authenticate.

Obviously if we found a solution so Oauth2 works with proxy ssl is a good thing :slight_smile:


(Michael Träumner) #12

Thanks, I didn’t know that
I think squid.conf and access.log could help anyway.


(Valeriy) #13

[details=squid.conf]

# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9

Sites not cached

acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache

Allow access from green and trusted networks.

acl localnet src 192.168.0.0/24
acl localnet_dst src 192.168.0.0/24

Safe ports

acl SSL_ports port 443
acl SSL_ports port 980 # httpd-admin (server-manager)
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 980 # httpd-admin (server-manager)
acl CONNECT method CONNECT

20acl_00_portscustom

Allow access from localhost

http_access allow localhost

Deny requests to certain unsafe ports

http_access deny !Safe_ports

Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager

Skip URL rewriter for local addresses

acl self dst 192.168.0.16
acl self_port port 80
acl self_port port 443
url_rewrite_access deny self localnet self_port

No authentication on green and trusted networks

http_access allow localnet

And finally deny all other access to this proxy

http_access deny all

cache_mem 256 MB

Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims

Always enable manual proxy

http_port 3128

Enable transparent proxy

http_port 3129 transparent

Enable SSL transparent proxy

https_port 3130 intercept ssl-bump generate-host-certificates=off cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key sslflags=NO_DEFAULT_CA options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB
acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

TLS/SSL bumping definitions

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

TLS/SSL bumping steps

ssl_bump peek tls_s1_connect all
ssl_bump splice all

peek at TLS/SSL connect data

splice: no active bumping

Enable squidGuard

url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=5 concurrency=0
url_rewrite_extras “%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=”%ssl::>sni" referer="%{Referer}>h""

90options

forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 0

90squidclamav

ecap_enable on

Bypass scan mime-types

acl bypass_scan_types_req req_mime_type -i ^text/
acl bypass_scan_types_req req_mime_type -i ^application/x-javascript
acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_req req_mime_type -i ^image/
acl bypass_scan_types_req req_mime_type -i ^video
acl bypass_scan_types_req req_mime_type -i ^audio
acl bypass_scan_types_req req_mime_type -i ^application/x-mms-framed.*$

acl bypass_scan_types_rep rep_mime_type -i ^text/
acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript
acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_rep rep_mime_type -i ^image/
acl bypass_scan_types_rep rep_mime_type -i ^video
acl bypass_scan_types_rep rep_mime_type -i ^audio
acl bypass_scan_types_rep rep_mime_type -i ^application/x-mms-framed.*$

loadable_modules /usr/lib64/ecap_clamav_adapter.so
ecap_service clamav_service_req reqmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off message_size_max=5000000
ecap_service clamav_service_resp respmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on message_size_max=5000000
adaptation_access clamav_service_req allow !bypass_scan_types_req all
adaptation_access clamav_service_resp allow !bypass_scan_types_rep all

[/details]

P.S.
I can not upload files to the forum.
In the file access.log a lot of text.


(Michael Träumner) #14

Please post the content of the files. Reply to this thread, start your content with a [code] and end it with a [/code].

We don’t need the whole access.log, only the lines during thunderbird tries to connect are important.
If you want access.log with another date- and timeformat (TT.MM.YYYY, HH:MM) try this:

awk ‘{print strftime("%c", $1), $0}’ /var/log/squid/access.log


(Valeriy) #15

[details=access.log]1491410526.695 125 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- - 1491410526.734 36 192.168.0.10 TCP_MISS/403 2037 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410526.737 272 192.168.0.10 TCP_TUNNEL/200 3192 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410526.853 112 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410618.062 97 192.168.0.10 TCP_MISS/503 4695 GET http://autoconfig.gmail.com/mail/config-v1.1.xml? - HIER_NONE/- text/html 1491410618.344 110 192.168.0.10 TCP_REDIRECT/302 467 POST http://clients1.google.com/ocsp - HIER_NONE/- - 1491410618.393 45 192.168.0.10 TCP_MISS/403 2015 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410618.767 138 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- - 1491410618.817 48 192.168.0.10 TCP_MISS/403 2019 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410618.820 315 192.168.0.10 TCP_TUNNEL/200 3192 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410618.929 106 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 - 1491410667.171 245 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- - 1491410667.249 72 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html 1491410727.748 61612 192.168.0.10 TCP_TUNNEL/200 3449 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.27.181.29 - 1491410794.453 176380 192.168.0.10 TCP_TUNNEL/200 5980 CONNECT gmail.com:443 - HIER_DIRECT/216.58.214.197 -[/details]


(Michael Träumner) #16

Hi Valeriy,
this looks like thunderbird tries to autoconfigure your google-account. Isn’t it configured? If so, try to configure it manually. After that please try if you cand send and receive mails.
Settings for configuration are here.
A list with explanations of the messages in your access.log you find at this site

Screenshots of configuring it manually:



(Saito Benkei) #17

There are the screenshots of Thunderbird where if you have to modify the accounts if you already have the account created (see my previous post)

Remember if you have an popup of an authentication error with a link to google to go here https://www.google.com/settings/security/lesssecureapps and activate the less-secure applications authentication.


(Valeriy) #18

I do as in the photo. But password verification lasts forever and does not end.
acccess.log

118 192.168.0.10 TCP_REDIRECT/302 467 POST http://clients1.google.com/ocsp - HIER_NONE/- -
1491765332.796 122 192.168.0.10 TCP_MISS/403 2015 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765333.212 331 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT live.mozillamessaging.com:443 - HIER_DIRECT/146.185.191.188 -
1491765333.304 124 192.168.0.10 TCP_REDIRECT/302 471 POST http://ocsp.int-x3.letsencrypt.org/ - HIER_NONE/- -
1491765333.344 35 192.168.0.10 TCP_MISS/403 2019 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765341.374 209 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491765341.423 43 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765341.728 303 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491765341.783 51 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765342.809 202 192.168.0.10 TCP_REDIRECT/302 461 POST http://ocsp.digicert.com/ - HIER_NONE/- -
1491765342.872 59 192.168.0.10 TCP_MISS/403 2009 GET http://192.168.0.16/cgi-bin/nethserver-block.cgi? - HIER_DIRECT/192.168.0.16 text/html
1491765403.984 61848 192.168.0.10 TCP_TUNNEL/200 6022 CONNECT versioncheck-bg.addons.mozilla.org:443 - HIER_DIRECT/54.187.193.33 -
1491765457.392 116691 192.168.0.10 TCP_TUNNEL/200 7903 CONNECT services.addons.mozilla.org:443 - HIER_DIRECT/52.26.140.68 -
1491765461.589 175 192.168.0.10 TCP_TUNNEL/200 2918 CONNECT blocklists.settings.services.mozilla.com:443 - HIER_DIRECT/146.185.191.188 -


(Valeriy) #19

I found out the reason. First you need to enter the mail using Oauth2. (You will see a page confirming the password from gmail). After the settings are received, you must manually change Oauth2 to a normal password.

If you immediately put the normal password, the gmail confirmation page does not appear and the configuration process (password check) does not end.


(Michael Träumner) #20

That’s great, that you solved your problem. Can you mark this thread as solved please.