HTTP proxy & firewall woes

[Demi M. Obenour]

I use GMail and Thunderbird for email, and Firefox as my browser.  I do
email and GitHub from a different domain that is more trusted than
others (it’s blue).

I would love to restrict its networking abilities by using firewall
rules or a filtering proxy.  Sadly, I have not been able to do that
without breaking at least GMail.  For firewall rules, the culprit seems
to be Google’s use of DNS load balancing, but I am not sure what is
breaking for the filtering proxy.  OCSP stapling?

I would much prefer to be able to restrict network access, but I cannot
break what needs to work.  Does anyone have suggestions?

[awokd]

Probably OCSP stapling like you said. Some filtering proxies can be
configured to pass through SSL/TLS sessions unmolested, but then they
can't filter them by content. You might also try POP3/SMTP vs. IMAP
although Gmail probably uses the same types of certs for both.

[Demi M. Obenour]

On 02/21/2018 08:36 AM, awokd wrote:
> On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote:
>> Weird. Proxy logs indicate that the proxy never receives a CONNECT
>> request from Firefox.

> Assuming you're on R3.2, have you seen
> https://www.qubes-os.org/doc/config/http-filtering-proxy ?
> https://www.qubes-os.org/doc/firewall might also be useful if you're
> having firewall issues.
>
I did, and finally figured out the problem:

Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only
over a SOCKS proxy.  But the latter is not useful in this case, because
a SOCKS5 proxy receives an IP address, not a domain name, and so cannot
filter by domain name.  Furthermore, Google uses many, many IP
addresses, and rotates them frequently, so one cannot usefully filter by
IP address.

I am going to be reporting this as a Thunderbird bug — the fix is to use
a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS.  In the
meantime, I have had no choice but to enable all networking for that
domain.  I still gain some security benefit, because Firefox and
Thunderbird honor the HTTP proxy settings, and so I cannot accidentally
browse to a dangerous site by mistake.

I wonder if Evolution would be a better choice than Thunderbird.  It
might not have this bug.  Does it have a worse history when it comes to
security?

Demi

[Demi M. Obenour]

I just had a further thought: could I work around this?  My thought was
to use /etc/hosts to force Thunderbird to use a specific IP, then proxy
that IP using a trivial C program using libcurl.

Demi

[Tim W]

Evolution should work. It did have a bug back in 2012 but that was it from what I recall.

Evolution also does not au5omatucally folliw gnomes setting and has its own.

Open Evolution > Edit> Preferences > Network Prefences > you should see default proxy setting page with a link to open advanced setting. But in the basic page you have entries for http https and socks proxy config.

Its been a long time but it should be there or close to it. I have found I enjoy Evolution over t-bird. Maybe its just the change but it seems smoother and not so heavy laiden. Firefox has also gotten chubby and away from its sleek roots as well. For max email effiency I find a terminal email app still has its place not to mention simplifies things. Mutt, Sup, Alpine. Sup is pretfy cool with its power and use of tags organization.

Anyways hope that Evolution info is helpful.

[Unman]

You could try whitelisting IMAP to google net ranges - get the SPF
records using dig _netblocks.google.com txt
I've tried the hosts entries, but it's pretty difficult to do this
effectively given the somewhat opaque way that google will reroute
traffic. You may as well sell your soul and use the blocks -
74.125.0.0/16 covers a good deal of gmail imap if i recall.
At least you'll have some restrictions on outgoing traffic.