Gmail + thunderbird SOLVED

If I include just a transparent proxy (without ssl), Gmail + thunderbird works.

Giacomo is right, but @Valeriy please tell me something about the error message.
Proxy schould filter port 443 and 80, imap ssl is 993 and smtp ssl is 465.
Please have a look at squid conf if some of these ports are blocked.

Maybe it’s related to Oauth authentication implemented in Thunderbird to access to Gmail? (in italian)

Thunderbird does not show errors. He always tries to connect.

Mail still does not work. What are thoughts?

Check if your Google account in Thunderbird is configured to use “OAuth2” or “Normal password” authentication:

Tools -> Account Settings -> Your Account (in the left panel) -> Server Settings (in the left panel) -> Authentication Method (in the right panel)

Change “Oauth2” to “Normal password”

Make same thing to smtp settings:

Tools -> Account Settings -> Outgoing Server (SMTP) (in the left panel) -> SMTP server (in the right panel) -> Authentication Method

Change “Oauth2” to “Normal password”

Now try to receive and send mail

If Thunderbird show other errors with a link, go to
and change configuration to permit login of less-secure applications to Google Account.

1 Like

I do as you wrote, but it does not work. Can I have an instruction with pictures?

I didn’t think that the setting in thunderbird are the reason, because @Valeriy says that it works if transparent ssl is disabled.

Please post your squid.conf and the access.log after thunderbird tried to connect.


I suspect that @Valeriy use Oauth2 authentication in Thunderbird and Oauth2 authentication is the culrpit (maybe use an https connection?)

I tried to configure the gmail account in Thunderbird to use standard authentication (not exotic autentications), so it doesn’t use Oauth2 (and probably https) to authenticate.

Obviously if we found a solution so Oauth2 works with proxy ssl is a good thing :slight_smile:


Thanks, I didn’t know that
I think squid.conf and access.log could help anyway.

1 Like


# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9

Sites not cached

acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache

Allow access from green and trusted networks.

acl localnet src
acl localnet_dst src

Safe ports

acl SSL_ports port 443
acl SSL_ports port 980 # httpd-admin (server-manager)
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 980 # httpd-admin (server-manager)


Allow access from localhost

http_access allow localhost

Deny requests to certain unsafe ports

http_access deny !Safe_ports

Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager

Skip URL rewriter for local addresses

acl self dst
acl self_port port 80
acl self_port port 443
url_rewrite_access deny self localnet self_port

No authentication on green and trusted networks

http_access allow localnet

And finally deny all other access to this proxy

http_access deny all

cache_mem 256 MB

Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims

Always enable manual proxy

http_port 3128

Enable transparent proxy

http_port 3129 transparent

Enable SSL transparent proxy

https_port 3130 intercept ssl-bump generate-host-certificates=off cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key sslflags=NO_DEFAULT_CA options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB
acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

TLS/SSL bumping definitions

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

TLS/SSL bumping steps

ssl_bump peek tls_s1_connect all
ssl_bump splice all

peek at TLS/SSL connect data

splice: no active bumping

Enable squidGuard

url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=5 concurrency=0
url_rewrite_extras “%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=”%ssl::>sni" referer="%{Referer}>h""


forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 0


ecap_enable on

Bypass scan mime-types

acl bypass_scan_types_req req_mime_type -i ^text/
acl bypass_scan_types_req req_mime_type -i ^application/x-javascript
acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_req req_mime_type -i ^image/
acl bypass_scan_types_req req_mime_type -i ^video
acl bypass_scan_types_req req_mime_type -i ^audio
acl bypass_scan_types_req req_mime_type -i ^application/x-mms-framed.*$

acl bypass_scan_types_rep rep_mime_type -i ^text/
acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript
acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_rep rep_mime_type -i ^image/
acl bypass_scan_types_rep rep_mime_type -i ^video
acl bypass_scan_types_rep rep_mime_type -i ^audio
acl bypass_scan_types_rep rep_mime_type -i ^application/x-mms-framed.*$

loadable_modules /usr/lib64/
ecap_service clamav_service_req reqmod_precache uri=ecap:// bypass=off message_size_max=5000000
ecap_service clamav_service_resp respmod_precache uri=ecap:// bypass=on message_size_max=5000000
adaptation_access clamav_service_req allow !bypass_scan_types_req all
adaptation_access clamav_service_resp allow !bypass_scan_types_rep all


I can not upload files to the forum.
In the file access.log a lot of text.

Please post the content of the files. Reply to this thread, start your content with a [code] and end it with a [/code].

We don’t need the whole access.log, only the lines during thunderbird tries to connect are important.
If you want access.log with another date- and timeformat (TT.MM.YYYY, HH:MM) try this:

awk ‘{print strftime("%c", $1), $0}’ /var/log/squid/access.log

[details=access.log]1491410526.695 125 TCP_REDIRECT/302 471 POST - HIER_NONE/- - 1491410526.734 36 TCP_MISS/403 2037 GET - HIER_DIRECT/ text/html 1491410526.737 272 TCP_TUNNEL/200 3192 CONNECT - HIER_DIRECT/ - 1491410526.853 112 TCP_TUNNEL/200 2918 CONNECT - HIER_DIRECT/ - 1491410618.062 97 TCP_MISS/503 4695 GET - HIER_NONE/- text/html 1491410618.344 110 TCP_REDIRECT/302 467 POST - HIER_NONE/- - 1491410618.393 45 TCP_MISS/403 2015 GET - HIER_DIRECT/ text/html 1491410618.767 138 TCP_REDIRECT/302 471 POST - HIER_NONE/- - 1491410618.817 48 TCP_MISS/403 2019 GET - HIER_DIRECT/ text/html 1491410618.820 315 TCP_TUNNEL/200 3192 CONNECT - HIER_DIRECT/ - 1491410618.929 106 TCP_TUNNEL/200 2918 CONNECT - HIER_DIRECT/ - 1491410667.171 245 TCP_REDIRECT/302 461 POST - HIER_NONE/- - 1491410667.249 72 TCP_MISS/403 2009 GET - HIER_DIRECT/ text/html 1491410727.748 61612 TCP_TUNNEL/200 3449 CONNECT - HIER_DIRECT/ - 1491410794.453 176380 TCP_TUNNEL/200 5980 CONNECT - HIER_DIRECT/ -[/details]

Hi Valeriy,
this looks like thunderbird tries to autoconfigure your google-account. Isn’t it configured? If so, try to configure it manually. After that please try if you cand send and receive mails.
Settings for configuration are here.
A list with explanations of the messages in your access.log you find at this site

Screenshots of configuring it manually:

There are the screenshots of Thunderbird where if you have to modify the accounts if you already have the account created (see my previous post)

Remember if you have an popup of an authentication error with a link to google to go here and activate the less-secure applications authentication.


I do as in the photo. But password verification lasts forever and does not end.

1491765332.796 122 TCP_MISS/403 2015 GET - HIER_DIRECT/ text/html
1491765333.212 331 TCP_TUNNEL/200 2918 CONNECT - HIER_DIRECT/ -
1491765333.304 124 TCP_REDIRECT/302 471 POST - HIER_NONE/- -
1491765333.344 35 TCP_MISS/403 2019 GET - HIER_DIRECT/ text/html
1491765341.374 209 TCP_REDIRECT/302 461 POST - HIER_NONE/- -
1491765341.423 43 TCP_MISS/403 2009 GET - HIER_DIRECT/ text/html
1491765341.728 303 TCP_REDIRECT/302 461 POST - HIER_NONE/- -
1491765341.783 51 TCP_MISS/403 2009 GET - HIER_DIRECT/ text/html
1491765342.809 202 TCP_REDIRECT/302 461 POST - HIER_NONE/- -
1491765342.872 59 TCP_MISS/403 2009 GET - HIER_DIRECT/ text/html
1491765403.984 61848 TCP_TUNNEL/200 6022 CONNECT - HIER_DIRECT/ -
1491765457.392 116691 TCP_TUNNEL/200 7903 CONNECT - HIER_DIRECT/ -
1491765461.589 175 TCP_TUNNEL/200 2918 CONNECT - HIER_DIRECT/ -

I found out the reason. First you need to enter the mail using Oauth2. (You will see a page confirming the password from gmail). After the settings are received, you must manually change Oauth2 to a normal password.

If you immediately put the normal password, the gmail confirmation page does not appear and the configuration process (password check) does not end.

1 Like

That’s great, that you solved your problem. Can you mark this thread as solved please.

I think the problem was in my DNS server (windows server).

1 Like

Please check out how to mark a topic as solved :wink: