autossl not working

[tuncayaskin]

I can not send mail with thunderbird via sslproxy. it is working very well http and https. But when ı try to send mail over sslproxy, just connect to mail server and keep going same situation, and sslproxy is do nothing. I am using listening program in extra file. I did not write listening program , so not caused by listening program. Finally , ı can send mail over starttls and ssl in sslsplit. it is working fine. But it is not working in sslproxy. and ı need to read inside smtp packet before send.

One thing caught my attention, when ı close the connection, sslproxy giving info ssl disconnected to mail server ip and should be like this, but listening program giving info tcp disconnected to nothing. Now, smtp packet go to sslproxy, then listening program take from sslproxy, but can be issue that listening program can not give back the packet to sslproxy? However , lp can give back https and http packets.

• Output of sslproxy -V

root@genel:/home/test# sslproxy -V SSLproxy (built 2020-02-14)

WARNING: Something is wrong with the version compiled into sslproxy! The version should contain a release number and/or a git commit reference. If using a package, please report a bug to the distro package maintainer.

Copyright (c) 2017-2019, Soner Tari sonertari@gmail.com https://github.com/sonertari/SSLproxy Copyright (c) 2009-2019, Daniel Roethlisberger daniel@roe.ch https://www.roe.ch/SSLsplit Build info: V:DIR N:5a5e84d Features: -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST Local process info support: no compiled against OpenSSL 1.1.1 11 Sep 2018 (1010100f) rtlinked against OpenSSL 1.1.1 11 Sep 2018 (1010100f) OpenSSL has support for TLS extensions TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID OpenSSL has engine support Using SSL_MODE_RELEASE_BUFFERS SSL/TLS protocol availability: tls10 tls11 tls12 SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.1.8-stable rtlinked against libevent 2.1.8-stable compiled against libnet 1.1.6 rtlinked against libnet 1.1.6 compiled against libpcap n/a rtlinked against libpcap 1.8.1 compiled against sqlite 3.22.0 rtlinked against sqlite 3.22.0 1 CPU cores detected

• Output of uname -a

Linux genel 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

• Exact command line arguments used to run sslproxy

sslproxy -c ca.pem -k ca.key ssl 0.0.0.0 8443 up:5555 -D -P

• listeninprogram side:

lp 127.0.0.1 5555 -D

• Relevant part of debug mode (-D) output, if applicable

• NAT redirection rules you are using, if applicable

sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443 iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443

[sonertari]

Thanks for the detailed report. SSLproxy runs fine on UTMFW with smtp-gated, but I don't remember if I have modified anything in smtp-gated other than the code to support the mode of operation required by sslproxy. You can check those modifications under the ports folder in the UTMFW sources. But UTMFW uses just ssl not autossl. So I think ssl should work, but I am not sure about autossl, simply because I don't have a test environment. Plus, I don't have automated end-to-end tests (using testproxy) for smtp yet, so again that's another reason I am not sure about autossl. Unfortunately, I am traveling at the moment, so it is hard for me to look into this issue in detail, but perhaps I can in a week or so. You can obtain very verbose logs by enabling the DEBUG_PROXY macro and then starting sslproxy with the -D4 option. You can do the same for lp as well.

[Preethikarunakaran]

SMTP-STARTTLS not working via SSLproxy v0.7.0: I am trying to use SSLproxy v0.7.0 for SMTP (25), SMTP-STARTTLS (587) connections.I am using a sample listening program which reads the packet and sends back to the SSLproxy listening on a dynamically assigned address. I have configured the required iptables NAT rules for redirection and I am able to send mails from Thunderbird via SSLproxy for SMTP , SMTP-STARTTLS connections.But, I am facing few issues here and there [SSLproxy is running with the debug option].

1.Sending multiple mails [SMTP-STARTTLS]:

While sending multiple mails, SSLproxy throws an error "Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336130329:281:decryption failed or bad record mac:20:SSL routines:143:ssl3_get_record SSL_free() in state 00000001 = 0001 = SSLERR (error) [accept socket]".

[Note:This issue occurs at random iterations]

2.Increasing attachment size [SMTP-STARTTLS]:

The code works well when sending without attachments. But,when I increase the attachment size (Ex:2MB), I get the following error in Thunderbird as "The message could not be sent because the outgoing SMTP server timed out".

[Note:Sometimes the SMTP Timeout error message (Thunderbird) comes after the SMTP DATA command and at times SSLproxy does not send the first packet itself].

[sonertari]

Thanks Preethi for the report.

I hope you, both @tuncayaskin and @Preethikarunakaran, are using smtp and/or autossl proxyspecs while testing. For example, I see that @tuncayaskin reports that he is using ssl 0.0.0.0 8443 up:5555. Actually, his proxyspec should have been smtp 0.0.0.0 8443 up:5555 for plain smtp, smtps 0.0.0.0 8443 up:5555 for secure smtp, and autossl 0.0.0.0 8443 up:5555 for starttls.

So, @tuncayaskin and @Preethikarunakaran, have you tried using smtp/smtps/autossl proxyspecs?

[Preethikarunakaran]

@sonertari Yeah. I have done the proxy specifications for smtp/smtps/autossl as mentioned only. My proxyspecs configured in the configuration file is as follows: ProxySpec smtp 0.0.0.0 8025 up:9199 ProxySpec smtps 0.0.0.0 8465 up:9199 ProxySpec autossl 0.0.0.0 8587 up:9199 The required NAT redirection rules are also configured. My listening program is running at port 9199.

[sonertari]

@Preethikarunakaran Alright, I think the issue is with autossl, not smtp or smtps, as I predicted before. I will change the title of this issue to autossl not working if @tuncayaskin confirms too.

[sonertari]

@Preethikarunakaran and @tuncayaskin, I think I have fixed the autossl mode. It seems to work here without any issues using lp as the listening program. I have tried with 5MB attachments too. Can you try the source-tree branch and report back please? Note that this branch has many other fixes and improvements, most notably the restructuring of the source tree, as the name implies.

[sonertari]

Just for the record, I have fixed and updated smtp-gated patches accordingly, if anyone wants to use smtp-gated as the listening program: https://github.com/sonertari/UTMFW/commit/51d953ab41cba9a17b5f578f98a9be162deda056.

[tuncayaskin]

I did not try smtp smtps autossl, I will look for my purpose later, and i will report back.

[sonertari]

v0.8.0 includes fixes and improvements for both autossl and smtp. So I am closing this issue. (You can always re-open this issue if you have problems.)

[Preethikarunakaran]

It is working now.Thank you for the update.

On Sun, 12 Apr, 2020, 7:14 pm Soner Tari, notifications@github.com wrote:

@Preethikarunakaran https://github.com/Preethikarunakaran and @tuncayaskin https://github.com/tuncayaskin, I think I have fixed the autossl mode. It seems to work here without any issues using lp as the listening program. I have tried with 5MB attachments too. Can you try the source-tree branch and report back please? Note that this branch has many other fixes and improvements, most notably the restructuring of the source tree, as the name implies.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sonertari/SSLproxy/issues/18#issuecomment-612616775, or unsubscribe https://github.com/notifications/unsubscribe-auth/APDUMQ4PGJ3LEDIA4TLXW73RMHAURANCNFSM4KVMZORA .