Bug#810933: Please support connecting to SMTP via a SOCKS proxy
Josh Triplett
Version: 6.6.6
Severity: wishlist
reportbug supports an HTTP proxy if set in the environment; however,
when it subsequently tries to submit the report, it tries to connect
directly to the specified SMTP server, and does not seem to support
using a proxy for that connection.
Please consider adding support for using a SOCKS proxy to connect to
reportbug.debian.org, and obtaining that proxy from the environment (via
the all_proxy environment variable, and respecting no_proxy).
-- Package-specific info:
** Environment settings:
EDITOR="/home/josh/.local/bin/vim-wrapper"
DEBEMAIL="jo...@joshtriplett.org"
EMAIL="jo...@joshtriplett.org"
DEBFULLNAME="Josh Triplett"
NAME="Josh Triplett"
INTERFACE="text"
** /home/josh/.reportbugrc:
reportbug_version "3.21.2"
mode expert
ui text
no-cc
header "X-Debbugs-CC: jo...@joshtriplett.org"
smtphost reportbug.debian.org:587
header "X-Debbugs-No-Ack: ack!"
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-rc8+ (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages reportbug depends on:
ii apt 1.1.10
ii python-reportbug 6.6.6
pn python:any <none>
reportbug recommends no packages.
Versions of packages reportbug suggests:
pn claws-mail <none>
pn debconf-utils <none>
ii debsums 2.1.2
pn dlocate <none>
ii emacs24-bin-common 24.5+1-5+b1
ii file 1:5.25-2
ii gnupg 1.4.20-1
pn postfix | exim4 | mail-transport-agent <none>
ii python-gtk2 2.24.0-4
pn python-gtkspellcheck <none>
pn python-urwid <none>
pn python-vte <none>
ii xdg-utils 1.1.1-1
Versions of packages python-reportbug depends on:
ii apt 1.1.10
ii file 1:5.25-2
ii python-debian 0.1.27
ii python-debianbts 2.6.0
pn python:any <none>
python-reportbug suggests no packages.
-- no debconf information
anonymous coward
Version: 7.10.3
Followup-For: Bug #810933
X-Debbugs-Cc: bug8...@sideload.33mail.com
I concur that SMTP proxying would be useful.
I also have a workaround using firejail. Firejail makes it possible to
restrict an app to a network namespace. So if you can configure your
proxy to be a network namespace that appears in
/proc/sys/net/ipv4/conf/, then firejail can do the rest. Restricting
apps to use Firejail is generally a good security practice anyway.
I managed to create a network (proxynet0). So running reportbug in
firejail to force use of proxynet0 looks like this:
===8<------------------------------
$ firejail --net=proxynet0\
--dns="$(ip address show dev proxynet0 | awk '/inet\>/{gsub(/[/].*/,""); print $2 }')"\
--whitelist="$HOME"/.reportbugrc\
--whitelist="$draft_folder"\
--whitelist="$app_specific_configs"\
--whitelist=/etc/passwd\
--whitelist=/var/lib/apt/lists/\
--whitelist=/var/lib/dpkg/status\
--whitelist=/etc/apt/sources.list\
--whitelist=/etc/apt/sources.d\
reportbug --draftpath="$draft_folder" --no-cc
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 25268, child pid 25271
Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0…
Default gateway…
DNS server…
Child process initialized in 1877.72 ms
(reportbug:11): dbind-WARNING **: 10:06:51.011: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-jLt9P0UVaA: Connection refused
Please enter the name of the package in which you have found a problem, or type 'other' to report a more general problem. If you don't know
what package the bug is in, please contact debia...@lists.debian.org for assistance.
>
===8<------------------------------
Be sure to also add a --whitelist path for the config file of the app
the bug is reported on because reportbug will try to access that as
well. The placeholder “$app_specific_configs” was used above.
The reportbug app uses dbus for accessbility features, which firejail
blocks by default. The warning can be ignored if you don’t need
accessibility features. Otherwise Firejail offers the following
options to make dbus accessible:
--dbus-log=file
--dbus-system=filter|none
--dbus-system.broadcast=name=[member][@path]
--dbus-system.call=name=[member][@path]
--dbus-system.log
--dbus-system.own=name
--dbus-system.see=name
--dbus-system.talk=name
--dbus-user=filter|none
--dbus-user.broadcast=name=[member][@path]
--dbus-user.call=name=[member][@path]
--dbus-user.log
--dbus-user.own=name
--dbus-user.talk=name
--dbus-user.see=name
I’m not sure which dbus restriction needs to be lifted (hence why this
is a half-baked workaround). I tried adding this:
--dbus-system=filter --dbus-system.call=org.freedesktop.DBus=org.freedesktop.DBus.*@/org/gnome/desktop/a11y/
but got:
Error: Invalid dbus-system.call rule: org.freedesktop.DBus=org.freedesktop.DBus.*@/org/gnome/desktop/a11y/
Anyway, that’s typically not needed. Hopefully this workaround helps
someone looking to proxy their reportbug SMTP traffic.
Note as well that the info in this post can be useful if someone wants
to introduce a reportbug profile into the firejail project.
-- Package-specific info:
** Environment settings:
EDITOR="emacs"
INTERFACE="text"
-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'testing'), (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages reportbug depends on:
ii apt 2.2.4
ii python3 3.9.2-3
ii python3-reportbug 7.10.3
ii sensible-utils 0.0.14
reportbug recommends no packages.
Versions of packages reportbug suggests:
pn claws-mail <none>
pn debconf-utils <none>
pn debsums <none>
pn dlocate <none>
ii emacs-bin-common 1:27.1+1-3.1
ii file 1:5.39-3
ii gnupg 2.2.27-2
ii postfix [mail-transport-agent] 3.5.6-1+b1
pn python3-urwid <none>
pn reportbug-gtk <none>
ii xdg-utils 1.1.3-4.1
Versions of packages python3-reportbug depends on:
ii apt 2.2.4
ii file 1:5.39-3
ii python3 3.9.2-3
ii python3-apt 2.2.1
ii python3-debian 0.1.39
ii python3-debianbts 3.1.0
ii python3-requests 2.25.1+dfsg-2
ii sensible-utils 0.0.14
python3-reportbug suggests no packages.
-- no debconf information
Bug reporter xyz
Version: 12.0.0
Followup-For: Bug #810933
(Note: I'm not on Debian but on a derivative with the same issue)
I use tsocks as a workaround, however this causes reportbug to fail checking for newer versions and other bug reports:
~$ tsocks reportbug -d
Please enter the name of the package in which you have found a problem, or type 'other' to report a more general problem. If you don't know what package the bug is in, please contact debian-
us...@lists.debian.org for assistance.
> reportbug
Is "reportbug" actually the package you are having problems with [Y|n|q|?]?
*** Welcome to reportbug. Use ? for help at prompts. ***
Note: bug reports are publicly archived (including the email address of the submitter).
Detected character set: UTF-8
Please change your locale if this is incorrect.
Using 'Bug reporter xyz <mxuse...@morke.org>' as your from address.
Getting status for reportbug...
Checking for newer versions at madison...
Will send report to Debian (per lsb_release).
Querying Debian BTS for reports on reportbug src:reportbug...
Error retrieving information on existing bug reports from the BTS. The following error was detected:
Unable to connect to Debian BTS (error: "TimeoutError('timed out')");
Do you still want to file a report [y|N|q|?]? n
Firewall logs in dmesg and netstat both show that reportbug successfully connects to the proxy server (I micromanage loopback connections...):
tcp 0 0 127.0.0.1:39016 127.0.0.1:9050 ESTABLISHED 324914/python3
I have verified:
1. My DNS server works and reportbug can use it (that DNS leak should be addressed btw, maybe add socks5 protocol support?)
2. My Proxy server works and has access to the internet
3. My Proxy's IP address is not blacklisted or else the workaround below would not work
Workaround:
1. Set a custom http proxy when creating the bug report (I use privoxy):
reportbug --proxy http://127.0.0.1:8118
2. Go through the steps, create bug report
3. Don't send bug report, quit reportbug
4. Resume bug reporting using tsocks:
tsocks reportbug -r /tmp/reportbug-reportbug-[...]
5. Send bug report; drink tea
I have verified:
tsocks is set up correctly, all data is proxified, no direct internet access permitted or attempted (except for the DNS lookup which I proxy too).
-- Package-specific info:
** Environment settings:
** /home/vulnerablenet/.reportbugrc:
reportbug_version "12.0.0"
mode novice
ui text
realname "Bug reporter xyz"
email "mxuse...@morke.org"
no-cc
smtphost reportbug.debian.org
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Foreign Architectures: i386
Init: sysvinit (via /sbin/init)
Versions of packages reportbug depends on:
ii python3 3.11.2-1+b1
ii python3-reportbug 12.0.0
ii sensible-utils 0.0.17+nmu1
reportbug recommends no packages.
Versions of packages reportbug suggests:
pn claws-mail <none>
pn debsums <none>
pn default-mta | postfix | exim4 | mail-transport-agent <none>
pn dlocate <none>
pn emacs-bin-common <none>
ii file 1:5.44-3
ii gnupg 2.2.40-1.1
pn reportbug-gtk <none>
ii xdg-utils 1.1.3-4.1
Versions of packages python3-reportbug depends on:
ii file 1:5.44-3
ii python3 3.11.2-1+b1
ii python3-apt 2.6.0
ii python3-debian 0.1.49
ii python3-debianbts 4.0.1
ii python3-requests 2.28.1+dfsg-1
ii sensible-utils 0.0.17+nmu1
python3-reportbug suggests no packages.
-- no debconf information