Transparent Smtp Proxy Puns

I think I know the answer to this, but I just want to ask and make sure I'm not simply misunderstanding.

 

Background:

I have a client with two email accounts. Both are provided by two different ISPs who do NOT do spam filtering. Now, when he's at work, this isn't a problem because Outlook (bleh) does his spam filtering. However, when he's out on the road, his iPhone (double bleh) does no filtering. This makes him terribly unhappy (which I totally understand).

 

Question:
Doing some research, it seems like a Transparent SMTP Proxy Server (such as ASSP) sitting between his email server and his email client(s) would be the solution. My understanding is it downloads the email from the email server, removes the spam using several filters, then presents the mail for pickup by the email client(s) on a different port or forwards it to another email server for pickup by the client(s) (I'm not quite clear on this). Is my understanding correct or am I looking for something entirely different?

Hello there,

I have enabled Squid transparent proxy on my OPNsense and for my LAN interfaces it works pretty good but unfortunately not for my VPN connections (OpenVPN & Wireguard).

On OpenVPN I had to create an interface to be able to select it at the Squid configuration but as soon as I enable this connection I cannot open any HTTP/HTTPS.
I selected the tunnel to be used as default gateway.

On Wireguard I am a step further: Via this VPN I get always a Squid "access denied" error message.

Any ideas how to solve this?

We are switching to a new domain and are using Azure AD sync to Microsoft 365. We are looking for a script to bulk add a new alias email address to the smtp:username@domain.com in the proxy address attribute.

I have been searching every where for something close to this.

Any help is greatly appreciated.

Thanks

So I found that Comcast is doing transparent DNS proxies in the Seattle area. Your computer maybe configured to talk to 1.1.1.1 or 9.9.9.9 but Comcast will intercept connections on port 53 and redirect it to their own DNS server hosted by pch.net Any idea how we can bypass this fuckery?

Hello,

First of all, yes, I am quite new to home servers since I just got my first one. So please, do not expect too much from me.

Here is my problem:

Like I said, I just got my first home server.

I would like to use it in many ways for example as a Minecraft server for having fun with friends. I already managed to set up IP forwarding and my friends can connect to the server, that is not the problem.

I am a little concerned about receiving a DDOS or other cyber attacks if the wrong people knew that I host my Server at home since they can easily get my IP address. Now I had an idea how to solve this:I got a VPS that I would like to use as a proxy so that everyone who wants to conect to my home server just connects to the proxy and the proxy forwards it to my home server. That way it would look like all the services ran on the VPS and nobody knew my IP address except the proxy server. I already set this up for TCP and UDP, the only protocols I have to use for my purposes, and it works just fine.

But now since the proxy is sending the packages to my home server, my home server is unable to see the IP adress of the users connecting to it but only notices packages coming from the same IP which is the one of my proxy server.

So I need to set up a transparent proxy server for TCP and UDP and that is where the fun begins.

I already searched the whole internet for explainations but nothing worked for me because

a) it was not what I thought of and therefore did not work for me

b) I did not understand it because it was not explained well enough.

So I ended up here asking for someone who has an idea how to do it and who is able to explain it to me. See the picture given for a better understanding of my setup.

https://preview.redd.it/bxlbshp52gs71.png?width=1920&format=png&auto=webp&s=3708458cb9a0303bf3ee9511f466772605a027eb

Regards,

Malte Stein

Hi everyone, I've looked around but haven't managed to find an answer so asking here.

How can I detect if there's a transparent proxy on a network path, let's say when trying to reach google.com?

Hi Guys,

I'm running into some issues with duplicate proxyaddress entries for my Azure AD connect deployment.

Removing them individually is not really an option since there are 300k+ users, about 10% have duplicate SMTP/proxy addresses.

I'm trying to figure out a script to remove a specific proxy address from all users in an OU.

EG: noemailaddress@zerodomain.com is on 20k users - how would I remove it for everyone?

I found this script on a website after some google-fu, not sure if it will work - where would I place the -whatif here? after the final $addressestoRemove?

any other suggestions or better approaches are greatly appreciated.

Import-Module ActiveDirectory$users = Get-ADUser -Filter * -SearchBase ‘OU=HYD,OU=IND Users,DC=PRAVEEN,DC=COM’-Properties proxyAddressesforeach ($user in $users){$addressesToRemove = @($user.proxyAddresses) -like “*fax.com*”if ($addressesToRemove.Count -gt 0){Set-Aduser $User -remove @{proxyaddresses=”$addressesToRemove”}}}

So this worked althought it was actually the mail attribute:

$ou = <path to ou>

$users = Get-ADUser -searchbase $ou -filter *

$mailtoremove = emailaddress@domain.com

foreach ($user in $users) { Set-ADUser $user -Remove @{mail = $mailtoremove}}

If I have an excel or list of all the duplicated emails and I want to just blow them away, how would I best import those into the $mail to remove attribute?

Hey everyone thanks in advance, I’m trying to collect all proxy addresses that start with SMTP and SIP with one get-aduser command but I can’t get the filter command to do what I want it to do. How do you search by {name -like (“SMTP*” or “SIP*”)}

I'm wanting to setup OPNsense with the transparent proxy package/options in Squid, so that it then chains or forwards to a dedicated Squid instance inside my lan.

I would like to start simple with only http (not SSL) caching, but haven't found a good guide that resembles this situation.

Appreciate any links or a good how-to for similar environment!

Hello folks,

I'm new to reddit and I hope that I'm doing everything right :)

So my problem is the following:
We have a fortigate 60f on 7.0.1 which works in transparent proxy mode without any issues.
Now we want to forward traffic to a proxy server in transparent mode, that should work like described here: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/3224/transparent-web-proxy-forwarding

That works fine for http traffic but https traffic is sent directly to the internet which should not happen!

- DPI is setup and working
- IP-based authentication is working (but not needed in our scenario)

Does anyone use this feature too?
Can I setup things that a request is never sent directly without passing the forward server?

We receive a lot "classical" Spam (Cheap Drones, Credits and Viagra etc.) from Networks of Turkish Providers over the Top level Domain ".icu". Is there a way to block that whole Domain? I have a growing list of over 50 Class C Networks blocked right now and every day they come through from a new Network. Nearly every Mail comes with a different Domain Name. Most of the time RDNS-Check is fishing them out, but sometimes they come through and it gets really annoying. I didn't find anything on the Sophos Community yet.

Let me first say I am a novice network person who is learning.

I currently have flashed dd-wrt and entware onto a RT-N66R router. This router is connected to a bridged modem PPPoE.

I desire to have all (or most) http traffic cached through squid as I have limited bandwidth (ADSL 3.2 Mbps down, 800Kbs actually more like 2.8 down 580 up)

My local net can have Rokus (Netflix, Amazon, Hulu and the like) and other devices pull images and descriptions down through HTTPS which should be cached by squid.

The version of squid that I have installed is 4.14 mips version.

My question is one of feasibility and locating examples of doing this solely on the router. I have seen on the web of someone doing something similar but had an external dedicated machine to run squid and the dd-wrt simply routed to this server. For the HTTPS, if I understand correctly, the certificate has to be created for the router so that HTTPS can be decrypted and squid can store the page in the cache. I do not see such a security certificate program in the install of the router's squid.

Before I go down the rabbit hole, has anyone done such a thing recently and/or have examples that I can follow?

Hi, so I installed Squid proxy's package and configured it to the best of my knowledge, and I chose to run it on transparent mode (to not do more configurations on the users side) with enabling SSL interception, created a CA and added it (which shows under System->Certificate Manager->CAs that it is not in use.

Squid seems to be logging some gibberish in /var/squid/cache when I check it with "Edit file" from pfSense, lightsquid seems to be working perfectly, showing the visited websites and some files of the users, and squidguard is showing like " Request(default/blk_BL_tracker/-) - CONNECT REDIRECT " in the Blocked log.

But the thing is I m not fully understanding what I am doing... Everything looks fine for me by the looks of it, but I feel like I'm doing something wrong. Like is squid actually intercepting HTTPS packets and sending them back to the users? is it really caching websites (HTTP and HTTPS) and where can I see the list of these sites? when is the ClamAV (that comes with squid) being used?

Here is a cut off picture of the settings that I got for squid: https://i.imgur.com/udm5Ayd.png

I would appreciate if someone can point out my mistakes, any information or question will help! thanks in advance

Hello,

im am not able to configure multiple mail accounts in Jira Service Desk to send mails. I can however set a sender address for every Service Desk project. Jira will then use sendmail to send the mails. Ofcourse every mail server will mark this as spam because the rDNS is wrong.

So my idea to get around this issue is, to setup sendmail to proxy the outgoing mails through multiple mail servers.

For example:

Jira sends a mail from email@customerA.com through sendmail. Sendmail will recognize customerA.com and use the configured smtp server (office365 account) to send the mail. I need to be sure this works with more than one customer.

I hope you get what im talking about. Please feel free to ask, if you have questions. Do you think this is possible?

Cheers, Railiak

Hello guys, I'm mostly network admin with some experience in linux administration. But I want to learn more about web/smtp proxies and load balancers. Can you recommend me some good book/vids or other materials about those topics?

EDIT: Thank you for your responses!

Hello Everyone,

Running into an odd issue where alot of AD accounts proxyaddresses are getting changed from "SMTP:email@domain.com" to "smtp:email@domain.com".

So far I have ran the following cmdlet:
Get-ADObject -Properties proxyAddresses -Filter {proxyAddresses -like "smtp:*@domain.com"} | Select-Object Name,proxyaddresses

Note: i couldnt figure out how to filter the results to just show lowercase smtp: so I got all results.

This gives me back this:

Name proxyaddresses

---- --------------

user1 {SMTP:email@domain.com, smtp:email2@domain.com}

user2 {smtp:email@domain.com, smtp:email2@domain.com}

Notice user2 has lowercase smtp:email@domain.com. I need to change user2 to read:

{SMTP:email@domain.com, smtp:email2@domain.com}

Any help would be great and let me know if this makes sense ;)

Thanks,

Ian...

Hi guys.

Im in the process of migrating from PFSense to OPNSense.

On my PFSense Installation I have a reverse proxy (Made with HA Proxy) that redirect several Web Server I have on my network to the respective domains.

Now I've moved these configurations across and it's working, even with the SSL but some websites uses a user login and registration (Discourse Platform) and since the website it's behind the new HA Proxy I always get a CSFR Error and I guess it's due to the fact that HAProxy is using it's own address to connect to the service and not keeping the one of the client from the wan.

On PFSense under the HA Proxy config there is this tick box that was making everything working: https://imgur.com/a/ty3nJrH

PFSense called it "Transparent ClientIP" But I can't manage to find a way to replicate the same behaviour on OPNSense too.

Practically now every Discourse Host they open correctly and they work with no issue, even the SSL it's working perfectly, but every login, or logout operation don't work due the CSFR Error that I don't know how to solve.

The X-Forward-For Option is already been turned on and in the firewall I've created a rule for port 80 and 443 to pass to "This Firewall"

Anyone can give me a hint on what I'm missing here?

Thanks!!

SOLVED!

On the discourse forum someone suggested me to add a string to the HA Proxy Frontend, this specific one that it's visible only when you turn on the "Advanced Settings"

https://imgur.com/a/osvIFlJ

and then you just need to add this:

https://imgur.com/a/osvIFlJ

# add X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }

in this way the proxy will transfer the original ip address of the client and it will not make it trigger the CSFR Protection error.

I had the issue with Discourse but I guess it will resolve any issue with any other application who use an authentication system in SSL

Has anyone tried getting Signal to work through squid proxy set up using TLS inspection on OPNsense?

Via the web UI there was little I could do, but did have some luck after modifying the squid config files from the shell. The issue seems to be around Signal using all self-signed certificates.

I've tried bypassing the Signal URLs and followed the short guide on the squid site, with no luck.

So some background, I have 4 web applications sitting in a VM along with a PostgreSQL database and another application for inter-app functions.

As it stands everything is working fine testing wise, so now looking to move towards production and I started exploring. These Web Apps contain some vital information, keys to the kingdom if you will on just about everything. So I say let's set up NGINX has a reverse proxy, have all the VMs communicate on a private internal network (LAN2). So now I have NGINX chugging along proxying well my Web requests to my apps from LAN1 to LAN2 just fine. All my VMs are seperated from LAN1, hacker would have to blow through a VM running nothing but a proxy request or SQL attack the web app.. and everything is working except one thing, now I can't access my Exchange SMTP service sitting on LAN1 so now my Web Apps can't process emails. Is there a way to proxy the SMTP like that also or should I just cut my losses and go back and just lock everything down facing LAN1 the best I can?

I tried to do this using NGINX proxying SMTP but I made no head way, not on a deadline so I'm not sweating it, and the extra security layer isn't required but I'll be damned if I'm gonna give up the keys without making it a headache for someone first.

Also on a side note all the VMs are running Ubuntu server, no SSH or anything, just a single Web app per VM and SQL is only accessible from the 4 VM IPs by rule. I do all admin stuff via console through management.

I found the following interesting:

I'm running Pfsense with pfBlockerNG-devel and I discovered that my DNS (which is set to 1.1.1.2/1.0.0.2 in System|General) was leaking. https://www.dnsleaktest.com showed Verizon rather than Cloudflare.

I also found another test here: https://www.smartydns.com/support/isp-doing-transparent-dns-proxy/

They recommend testing this way:

% nslookup ip.smartydns.com
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	ip.smartydns.com
Address: 167.99.45.163

They say "If you see the result as “136.243.3.103” then you have no problems using our DNS servers." Otherwise, test again this way this:

% nslookup ip.smartydns.com 87.117.205.40
Server:		87.117.205.40
Address:	87.117.205.40#53

Non-authoritative answer:
Name:	ip.smartydns.com
Address: 167.99.45.163

"If you see in your result at “Address:” (2) an IP address other than “136.243.3.103” then your Internet Service Provider is doing Transparent DNS Proxy."

Can someone please explain how this actually works? Is this a legitimate test?

In any case, I figured how to fix the DNS leak. I switched on "Enable Forwarding Mode" and "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" in "Services | DNS Resolver | General Settings | DNS Query Forwarding". https://www.dnsleaktest.com now shows Cloudflare.

A couple more questions though:

• Do I need "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers"? I tested without it and also got Cloudflare as a result. Is this to hide the request from the ISP? Can the ISP act as a transparent DNS proxy when I use SSL/TLS?

• Interestingly, the second test (ip.smartydns.com) test is still behaving the exact same way. Does this mean my ISP (Verizon FIOS) is doing Transparent DNS Proxy?

Finally, I find this somewhat related article fascinating: https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/

Hey all... I'm looking to build a router with a transparent proxy/web filter/logger for my home network. I've been trying this on Debian, using a few guides. One in particular that I cannot seem to find again, which referenced the following link. I believe it referenced this link to get squid to proxy https traffic.

Here is my hardware, with my requirements:

Hardware: Miniforum PC with 500GB hard drive/16GB RAM, and Ryzen 5 CPU, Radeon GPU.

1. Must be transparent, and device/router will sit behind a watch guard firewall. I know this is sort of a double firewall, but thats ok. I am required to keep the firewall, as I have VPNs setup for some datacenters I support.
2. Would like to be able to block any website, and use blacklists to block specific categories.
3. Log all traffic, and would love something that I can use to analyze and view traffic reports.
4. HTTPS proxy? I know there are some issues with this, but it seems the above link has tackled this somehow?

My experience is limited to what I can search for pretty much. I've been dabbling in linux for a couple of decades now, but never really picking it up entirely. For example, I've built Gentoo from scratch numerous times, but never really took it any further than that.

I've was going to settle on debian, but I have no loyalty to anything at the moment. I have 3 mini-PCs that I'll build for various purposes... all which I plan on putting Linux on, so I'd like to keep the flavors the same. The other two, I'm not sure what I will do with yet, but it will be fun stuff.

Thanks!

I have a 918+ and currently running pi-hole on docker, it helps to stop ads but I want something to monitor the kids internet and block certain sites, so I was thinking of a transparent proxy, something like squid, anybody running something similar and can point me in the right direction ? Ideally it would run in docker but a VM is also fine.

I recently noticed that we can add any SMTP Alias/ Proxy Address, regardless if our Exchange environment is authoritative for it, to an Exchange object. For example, if our Exchange environment is authoritative for ABC.com and we have a user with the primary SMTP address of john.doe@ABC.com we can also add john.doe@gmail.com as a secondary SMTP address and it successfully routes internally since Exchange sees it as an alias to john.doe@ABC.com. I was under the impression that Exchange would check for what domain it is authoritative for before trying to route an email. It appears that Exchange instead looks to see if the address exists as a SMTP address in the environment. Is this a feature, a result of a setting we have enabled, or a bug?