From: CACook@... [mailto:CACook@...]
Sent: Wednesday, 8 May 2013 2:49 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] Transparent Proxy
On Tuesday, May 07, 2013 06:58:50 PM Terry Gilsenan wrote:
> Firstly, Is the mail client socks aware? If it is not then that is the
> issue you need to fix. If it is, then tell it to use the socks proxy
> on port 9110
> Shorewall is an IPTables configurator, it is NOT a proxy. Shorewall isn't a magic bit of software that knows how to interface to a socks proxy.
> You need a socks aware email client.
Unfortunately it's KMail, which is not SOCKS-aware. But KMail lets me put my mail where I want and in a form that I want (mbox) and has several features that I want. I tried to like Thunderbird, Evolution, Sylpheed, Claws, etc, but each is either too primitive or, lacks some vital feature. I am not happy with KMail, but it's the only one I've found that does the vitals. Trust me, I wish there were something better. I keep looking.
When I use torsocks (or usewithtor or UWT) with KMail, KMail ignores the redirect. It simply still sends on 465. How do I know? Because I block 465 and get a firewall violation. I IRCed the dev for torsocks and he says it was developed a long time ago and doesn't work with many GUI applications. He's the one who suggested that I do this with iptables, and he knows his stuff, Haters notwithstanding.
I use POP3s and sSMTP (995 & 465) for email. I do not know what it takes to put this through a SOCKS5 port. The Tor SOCKS port I have allocated to email is 127.0.0.1:9110. I suppose this should be done like a tunnel, so that 465 and 995 accesses go through 9110 and come out the other end of the tunnel (at the Exit Node) and proceed to the mail server as 465 and 995, if you take my meaning. The closest thing this sounds like to me is NAT, but I don't know what the fact of a SOCKS port means in this respect, and no one else I've asked does either.
I tried to explain this..: SSL and to some extent TLS will object to transparent proxying.
The problem is that Kmail doesn't know how to do socks, and that is what you need to fix, either by changing to an email client that CAN to socks or by installing (writing?) a socks "shim".
You could certainly use IPTables to re-direct your connections to your local socks proxy, but that doesn't fix the problem of your email client wanting to speak POP3 or SMTP, when the socks proxy is wanting whatever connects to it to speak SOCKS.
POP3 has specific commands, SMTP has specific commands, SOCKS has specific commands, POP3 commands addressed to a SOCKS proxy mean nothing to the SOCKS proxy, so a redirect at the transport later is worthless, you need the application layer taken care of, and that is outside the scope of IPTables.
I simply don't think I can explain it any better than that, Sorry.
Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now.
NOTE: URL removed for security purposes - contact terry.gilsenan@... for support.
Shorewall-users mailing list
This electronic transmission, including any attachments, is confidential, may contain privileged information and should be read or retained only by the intended recipient. If you received this message in error, please delete it from your system and notify the sender immediately. Any review, dissemination or other use of this information by persons or entities other than the intended recipient is strictly prohibited.