Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Postfix smtp via socks5
918 views
Skip to first unread message
Francina Oates
Jan 24, 2014, 12:41:24 PM1/24/14
to
I was trying to send using default transport/smtp through a socks5 proxy provided by ssh -D.
I experience Postfix does not easily supports this, but I got pretty far:
a. Install tsocks package on Ubuntu 13.04
b. Create /usr/lib/postfix/smtp_socks
#!/bin/bash
export TSOCKS_CONF_FILE=/etc/postfix/tsocks.conf
exec tsocks /usr/lib/postfix/smtp "$@"
c. Create /etc/postfix/tsocks.conf
server = 127.0.0.1
server_port = 1126
server_type = 5
d. Add to /etc/postfix/master.cf
smtp_socks unix - - - - - smtp_socks
e. Add to /etc/postfix/main.cf
default_transport = smtp_socks
f. Set up tunnel and send email to the Internet
ssh -D 1126 remoteserver.com
It does not work:
smtp does not actually create connections but more likely hands that off to some other process.
The log displays:
postfix/smtp[7848]: connect to aspmx.l.google.com[2a00:1450:4008:c01::1a]:25: Network is unreachable
postfix/smtp[7845]: connect to aspmx.l.google.com[74.125.25.27]:25: Connection timed out
Of course this works:
TSOCKS_CONF_FILE=/etc/postfix/tsocks.conf tsocks telnet aspmx.l.google.com 25
Trying 173.194.79.27...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP g6si6607378pad.169 - gsmtp
As opposed to blocked while not using socks5:
telnet aspmx.l.google.com 25
Trying 173.194.79.27...
^C
How can I make it work?
There are great reasons for using a SOCKS5 server:
- perhaps your computer has a dynamic ip
- perhaps your isp does not allow port 25 connections
- perhaps you want an encrypted connection all the way to the recipient's mta, as opposed to have an unencrypted mail queue somewhere on the Internet
We do NOT want an intermediate mta or postfix.
Looking forward to any suggestions,
I experience Postfix does not easily supports this, but I got pretty far:
a. Install tsocks package on Ubuntu 13.04
b. Create /usr/lib/postfix/smtp_socks
#!/bin/bash
export TSOCKS_CONF_FILE=/etc/postfix/tsocks.conf
exec tsocks /usr/lib/postfix/smtp "$@"
c. Create /etc/postfix/tsocks.conf
server = 127.0.0.1
server_port = 1126
server_type = 5
d. Add to /etc/postfix/master.cf
smtp_socks unix - - - - - smtp_socks
e. Add to /etc/postfix/main.cf
default_transport = smtp_socks
f. Set up tunnel and send email to the Internet
ssh -D 1126 remoteserver.com
It does not work:
smtp does not actually create connections but more likely hands that off to some other process.
The log displays:
postfix/smtp[7848]: connect to aspmx.l.google.com[2a00:1450:4008:c01::1a]:25: Network is unreachable
postfix/smtp[7845]: connect to aspmx.l.google.com[74.125.25.27]:25: Connection timed out
Of course this works:
TSOCKS_CONF_FILE=/etc/postfix/tsocks.conf tsocks telnet aspmx.l.google.com 25
Trying 173.194.79.27...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP g6si6607378pad.169 - gsmtp
As opposed to blocked while not using socks5:
telnet aspmx.l.google.com 25
Trying 173.194.79.27...
^C
How can I make it work?
There are great reasons for using a SOCKS5 server:
- perhaps your computer has a dynamic ip
- perhaps your isp does not allow port 25 connections
- perhaps you want an encrypted connection all the way to the recipient's mta, as opposed to have an unencrypted mail queue somewhere on the Internet
We do NOT want an intermediate mta or postfix.
Looking forward to any suggestions,
moparisthebest
Jan 24, 2014, 2:01:21 PM1/24/14
to
On 01/24/2014 12:41 PM, Francina Oates wrote:
> There are great reasons for using a SOCKS5 server:
> - perhaps your computer has a dynamic ip
> - perhaps your isp does not allow port 25 connections
> - perhaps you want an encrypted connection all the way to the
> recipient's mta, as opposed to have an unencrypted mail queue
> somewhere on the Internet
>
> We do NOT want an intermediate mta or postfix.
>
> Looking forward to any suggestions,
Just thought I'd mention that I accomplish this (running postfix at home
> There are great reasons for using a SOCKS5 server:
> - perhaps your computer has a dynamic ip
> - perhaps your isp does not allow port 25 connections
> - perhaps you want an encrypted connection all the way to the
> recipient's mta, as opposed to have an unencrypted mail queue
> somewhere on the Internet
>
> We do NOT want an intermediate mta or postfix.
>
> Looking forward to any suggestions,
with a residential connection) via a server-to-server OpenVPN tunnel.
It gives me an IP on both ends to bind to and route traffic across, and
is just as secure as SSH if not more so.
Francina Oates
Jan 24, 2014, 7:58:44 PM1/24/14
to
The lack of socks support is an increasingly serious shortcoming of Postfix.
If 2013 taught us anything, it is that the only way to have secure
email is to store using full disk encryption on a computer in your
physical custody and to send and receive using trusted TLS or better.
* Cloud computing is not secure
* Hosted Webmail is not secure
These new findings are easy for people who rent a co-location cage or
have an enterprise-grade Internet connection.
Everybody else will need socks to send outbound email and Postfix does
not support that.
---
If 2013 taught us anything, it is that the only way to have secure
email is to store using full disk encryption on a computer in your
physical custody and to send and receive using trusted TLS or better.
* Cloud computing is not secure
* Hosted Webmail is not secure
These new findings are easy for people who rent a co-location cage or
have an enterprise-grade Internet connection.
Everybody else will need socks to send outbound email and Postfix does
not support that.
---
li...@rhsoft.net
Jan 24, 2014, 8:14:09 PM1/24/14
to
Am 25.01.2014 01:58, schrieb Francina Oates:
> The lack of socks support is an increasingly serious shortcoming of Postfix.
>
> If 2013 taught us anything, it is that the only way to have secure
> email is to store using full disk encryption on a computer in your
> physical custody and to send and receive using trusted TLS or better.
>
> * Cloud computing is not secure
> * Hosted Webmail is not secure
>
> These new findings are easy for people who rent a co-location cage or
> have an enterprise-grade Internet connection.
>
> Everybody else will need socks to send outbound email and Postfix does
> not support that.
change the way messages are stored? postfix supports TLS as
well as mail clients does for many years
what i find remarkable is that 2013 changed anything because
the problems existed long before, as well as long before
people used TLS for send and receive e-mail
the only thing which has 2013 changed is that people talking
about encryption and security are no longer called paranoid
idiots as it happend before the NSA leaks
Wietse Venema
Jan 24, 2014, 8:27:50 PM1/24/14
to
Francina Oates:
> The lack of socks support is an increasingly serious shortcoming
> of Postfix.
You are welcome to donate code.
> The lack of socks support is an increasingly serious shortcoming
> of Postfix.
Wietse
Francina Oates
Jan 25, 2014, 3:42:47 AM1/25/14
to
I looked at the code in smtp_connect.c, it looked too complicated for me :)
That's sad, because the socks protocol is very simple.
Someone you emailed with in 2002 claimed to have done it, and then
there are a handful of claims on the Internet that do not work.
I looked at installing an mta in parallel with Postfix, and it's only
the big ones courier, exim, qmail that are actually routing and they
don't like to be installed together with Postfix. I even tried to run
a tsocks-wrapped second Postfix. Not easy. Not working.
So, what I will do is to write a pipe delivery agent. Postfix provides
enough macros for the MX dns lookup and the envelope, and I can use
the bash script as a tsocks wrapper, launching a second script
utilizing some smtp library. That looks like a suitable weekend
project.
- macros are provided as command line arguments
- the message text is available at stdin
- status code 75 means defer, 0 means success
- Postfix copies stdout output to mail.log
To clarify for lists()rhsoft.net:
Adding the socks protocol to smtp allows for end-to-end TLS encryption
despite that the email appears to be sent from an intermediate node.
Socks removes the requirement to trust the provider of that
intermediate node and public IP address. A traffic logger or disk
image snooper will see the destination mta ip but none of the message.
Frequently, the destination is common like gmail, and the obtained
information is of little value.
The hundreds of Bitcoin breaches are symptoms of cloud security being
nonexistent. It would surprise me if the NSA are responsible for
those.
Andrzej A. Filip
Jan 25, 2014, 4:46:59 AM1/25/14
to
On 01/25/2014 02:27 AM, Wietse Venema wrote:
> Francina Oates:
>> The lack of socks support is an increasingly serious shortcoming
>> of Postfix.
>
> You are welcome to donate code.
>
> Wietse
>
As I understand it requires passing preset LD_PRELOAD environment variable.
> Francina Oates:
>> The lack of socks support is an increasingly serious shortcoming
>> of Postfix.
>
> You are welcome to donate code.
>
> Wietse
>
http://tsocks.sourceforge.net/faq.php
tsocks can be used a number of ways, the most common being the
LD_PRELOAD environment variable. When set (often through a script) this
requests that the system dynamic loader load tsocks into each process
before execution of the process begins. This allows tsocks to redirect
calls to standard networking functions to force them to be socksified.
Andrzej A. Filip
Jan 25, 2014, 6:44:44 PM1/25/14
to
On 01/25/2014 02:22 PM, Wietse Venema wrote:
> Andrzej A. Filip:
>
> /etc/postfix/main.cf:
> import_environment = LD_PRELOAD=/path/to/object remainder of default
> $import_environment settings
>
> I make no promises that this will be sufficient. For example,
> features such as mynetworks look at local network interfaces, and
> that will not work.
Is it possible to set/pass environment variables per master.cf entry?
> Andrzej A. Filip:
>> On 01/25/2014 02:27 AM, Wietse Venema wrote:
>>> Francina Oates:
>>>> The lack of socks support is an increasingly serious shortcoming
>>>> of Postfix.
>>>
>>> You are welcome to donate code.
>>
>>> Francina Oates:
>>>> The lack of socks support is an increasingly serious shortcoming
>>>> of Postfix.
>>>
>>> You are welcome to donate code.
>>
>> As I understand it requires passing preset LD_PRELOAD environment variable.
>>
>> http://tsocks.sourceforge.net/faq.php
>> tsocks can be used a number of ways, the most common being the
>> LD_PRELOAD environment variable. When set (often through a script) this
>> requests that the system dynamic loader load tsocks into each process
>> before execution of the process begins. This allows tsocks to redirect
>> calls to standard networking functions to force them to be socksified.
>
> You can try:
>>
>> http://tsocks.sourceforge.net/faq.php
>> tsocks can be used a number of ways, the most common being the
>> LD_PRELOAD environment variable. When set (often through a script) this
>> requests that the system dynamic loader load tsocks into each process
>> before execution of the process begins. This allows tsocks to redirect
>> calls to standard networking functions to force them to be socksified.
>
>
> /etc/postfix/main.cf:
> import_environment = LD_PRELOAD=/path/to/object remainder of default
> $import_environment settings
>
> I make no promises that this will be sufficient. For example,
> features such as mynetworks look at local network interfaces, and
> that will not work.
Is it possible to set/pass environment variables per master.cf entry?
Wietse Venema
Jan 25, 2014, 7:24:17 PM1/25/14
to
Andrzej A. Filip:
daemons, because until now such code was not needed.
It is easy enough to wrap the smtpd(8) or smtp(8) executable with
a small program that sets the environment.
There are no promises that automatic socksification will work.
Postfix daemons make socket calls not only for email delivery but
also to talk to other Postfix daemons.
Wietse
> > You can try:
> >
> > /etc/postfix/main.cf:
> > import_environment = LD_PRELOAD=/path/to/object remainder of default
> > $import_environment settings
> >
> > I make no promises that this will be sufficient. For example,
> > features such as mynetworks look at local network interfaces, and
> > that will not work.
>
> Is it possible to set/pass environment variables per master.cf entry?
There currently is no code to set environments for individual
> >
> > /etc/postfix/main.cf:
> > import_environment = LD_PRELOAD=/path/to/object remainder of default
> > $import_environment settings
> >
> > I make no promises that this will be sufficient. For example,
> > features such as mynetworks look at local network interfaces, and
> > that will not work.
>
> Is it possible to set/pass environment variables per master.cf entry?
daemons, because until now such code was not needed.
It is easy enough to wrap the smtpd(8) or smtp(8) executable with
a small program that sets the environment.
There are no promises that automatic socksification will work.
Postfix daemons make socket calls not only for email delivery but
also to talk to other Postfix daemons.
Wietse
renne....@gmail.com
Jul 16, 2014, 1:10:51 PM7/16/14
to
Wietse, please add SOCKS5-support to the great Postfix. ;)
Regards,
Renne
0 new messages