Hi, i am trying to inspect SMTP/SMTPS traffic to search and detect Viruses and malwares using ClamSMTP program.
But i did not initiate transparent proxying and mail inspection. Here is about my detailed problem.
1) first scenario
I am using Thunderbird 78.11.0 email program here is the default configuration:
I am beginner at proxying and I have some errors when i send mail for example from my outlook to yandex.
here is error logs from clamsmtp with above smtp configurations:
Error Message from Thunderbird:
Sending of the message failed.
An error occurred while sending mail: Unable to establish a secure link with Outgoing server (SMTP) smtp.outlook.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider.
2) second scenerio
Error Message from Thunderbird:
An error occurred while sending mail. The mail server responded: 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK.COM]. Please verify that your email address is correct in your account settings and try again.
Here is ClamSMTP conf. with Transparent Proxy mode:
#######
Here is IPFW conf:
Here is PF conf:
But i did not initiate transparent proxying and mail inspection. Here is about my detailed problem.
1) first scenario
I am using Thunderbird 78.11.0 email program here is the default configuration:
I am beginner at proxying and I have some errors when i send mail for example from my outlook to yandex.
here is error logs from clamsmtp with above smtp configurations:
Code:
clamsmtpd: cleaning up completed thread
clamsmtpd: created thread for connection
clamsmtpd: 100007: processing 5 on thread 68b400
clamsmtpd: 100007: accepted connection from: 192.168.8.11
clamsmtpd: 100007: SERVER connected to: 52.97.232.194
clamsmtpd: 100007: SERVER < 220 ZR0P278CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at T
clamsmtpd: 100007: intercepting initial response
clamsmtpd: 100007: CLIENT > 220 smtp.passthru
clamsmtpd: 100007: CLIENT < EHLO [192.168.8.11]
clamsmtpd: 100007: SERVER > EHLO [192.168.8.11]
clamsmtpd: 100007: SERVER < 250-ZR0P278CA0026.outlook.office365.com Hello [212.154.86.180]
clamsmtpd: 100007: intercepting host response
clamsmtpd: 100007: CLIENT > 250-smtp.passthru
clamsmtpd: 100007: SERVER < 250-SIZE 157286400
clamsmtpd: 100007: CLIENT > 250-SIZE 157286400
clamsmtpd: 100007: SERVER < 250-PIPELINING
clamsmtpd: 100007: filtered ESMTP feature: PIPELINING
clamsmtpd: 100007: SERVER < 250-DSN
clamsmtpd: 100007: CLIENT > 250-DSN
clamsmtpd: 100007: SERVER < 250-ENHANCEDSTATUSCODES
clamsmtpd: 100007: CLIENT > 250-ENHANCEDSTATUSCODES
clamsmtpd: 100007: SERVER < 250-STARTTLS
clamsmtpd: 100007: filtered ESMTP feature: STARTTLS
clamsmtpd: 100007: SERVER < 250-8BITMIME
clamsmtpd: 100007: CLIENT > 250-8BITMIME
clamsmtpd: 100007: SERVER < 250-BINARYMIME
clamsmtpd: 100007: filtered ESMTP feature: BINARYMIME
clamsmtpd: 100007: SERVER < 250-CHUNKING
clamsmtpd: 100007: filtered ESMTP feature: CHUNKING
clamsmtpd: 100007: SERVER < 250 SMTPUTF8
clamsmtpd: 100007: CLIENT > 250 SMTPUTF8
clamsmtpd: 100007: CLIENT < QUIT
clamsmtpd: 100007: SERVER > QUIT
clamsmtpd: 100007: SERVER < 221 2.0.0 Service closing transmission channel
clamsmtpd: 100007: CLIENT > 221 2.0.0 Service closing transmission channel
clamsmtpd: 100007: CLIENT connection closed
clamsmtpd: 100007: SERVER connection closedError Message from Thunderbird:
Sending of the message failed.
An error occurred while sending mail: Unable to establish a secure link with Outgoing server (SMTP) smtp.outlook.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider.
2) second scenerio
Code:
clamsmtpd: cleaning up completed thread
clamsmtpd: created thread for connection
clamsmtpd: 100004: processing 4 on thread 68be00
clamsmtpd: 100004: accepted connection from: 192.168.8.11
clamsmtpd: 100004: SERVER connected to: 52.97.232.194
clamsmtpd: 100004: SERVER < 220 ZR0P278CA0019.outlook.office365.com Microsoft ESMTP MAIL Service ready at T
clamsmtpd: 100004: intercepting initial response
clamsmtpd: 100004: CLIENT > 220 smtp.passthru
clamsmtpd: 100004: CLIENT < EHLO [192.168.8.11]
clamsmtpd: 100004: SERVER > EHLO [192.168.8.11]
clamsmtpd: 100004: SERVER < 250-ZR0P278CA0019.outlook.office365.com Hello [212.154.86.180]
clamsmtpd: 100004: intercepting host response
clamsmtpd: 100004: CLIENT > 250-smtp.passthru
clamsmtpd: 100004: SERVER < 250-SIZE 157286400
clamsmtpd: 100004: CLIENT > 250-SIZE 157286400
clamsmtpd: 100004: SERVER < 250-PIPELINING
clamsmtpd: 100004: filtered ESMTP feature: PIPELINING
clamsmtpd: 100004: SERVER < 250-DSN
clamsmtpd: 100004: CLIENT > 250-DSN
clamsmtpd: 100004: SERVER < 250-ENHANCEDSTATUSCODES
clamsmtpd: 100004: CLIENT > 250-ENHANCEDSTATUSCODES
clamsmtpd: 100004: SERVER < 250-STARTTLS
clamsmtpd: 100004: filtered ESMTP feature: STARTTLS
clamsmtpd: 100004: SERVER < 250-8BITMIME
clamsmtpd: 100004: CLIENT > 250-8BITMIME
clamsmtpd: 100004: SERVER < 250-BINARYMIME
clamsmtpd: 100004: filtered ESMTP feature: BINARYMIME
clamsmtpd: 100004: SERVER < 250-CHUNKING
clamsmtpd: 100004: filtered ESMTP feature: CHUNKING
clamsmtpd: 100004: SERVER < 250 SMTPUTF8
clamsmtpd: 100004: CLIENT > 250 SMTPUTF8
clamsmtpd: 100004: CLIENT < MAIL FROM:<x@outlook.com> BODY=8BITMIME SIZE=418
clamsmtpd: 100004: SERVER > MAIL FROM:<x@outlook.com> BODY=8BITMIME SIZE=418
clamsmtpd: 100004: SERVER < 451 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK
clamsmtpd: 100004: CLIENT > 451 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK
clamsmtpd: 100004: CLIENT connection closed
clamsmtpd: 100004: SERVER connection closedError Message from Thunderbird:
An error occurred while sending mail. The mail server responded: 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK.COM]. Please verify that your email address is correct in your account settings and try again.
Here is ClamSMTP conf. with Transparent Proxy mode:
Code:
# ------------------------------------------------------------------------------
# SAMPLE CLAMSMTPD CONFIG FILE
# ------------------------------------------------------------------------------
#
# - Comments are a line that starts with a #
# - All the options are found below with sample settings
# The address to send scanned mail to.
# This option is required unless TransparentProxy is enabled
#OutAddress: 10026
# The maximum number of connection allowed at once.
# Be sure that clamd can also handle this many connections
MaxConnections: 64
# Amount of time (in seconds) to wait on network IO
TimeOut: 180
# Keep Alives (ie: NOOP's to server)
#KeepAlives: 0
# Send XCLIENT commands to receiving server
#XClient: off
# Address to listen on (defaults to all local addresses on port 10025)
Listen: 0.0.0.0:10025
# The address clamd is listening on
ClamAddress: /var/run/clamav/clamd.sock
# A header to add to all scanned email
Header: X-Virus-Scanned: ClamAV using ClamSMTP %i
# Directory for temporary files
TempDirectory: /tmp
# What to do when we see a virus (use 'bounce' or 'pass' or 'drop'
Action: drop
# Whether or not to keep virus files
#Quarantine: off
# Enable transparent proxy support
TransparentProxy: on
# User to switch to
User: clamav#######
Here is IPFW conf:
Code:
ipfw -q -f flush
ipfw -q add 1 allow all from any to any out via lo0
ipfw -q add 2 allow all from any to any in via lo0
#ipfw -q add 3 fwd 127.0.0.1,8443 tcp from 192.168.8.0/24 to any 443
## SMTP/SMTPS MAIL PROXY
ipfw -q add 100 fwd 127.0.0.1,10025 tcp from 192.168.8.0/24 to any 587
ipfw -q add 101 fwd 127.0.0.1,10025 tcp from 192.168.8.0/24 to any 25
ipfw -q add 65534 allow ip from any to anyHere is PF conf:
Code:
int_if = "igb1"
ext_if = "igb0"
int_net = "192.168.8.0/24"
set loginterface igb0
# Do not skip lo, we have rules for lo conns
#set skip on lo
scrub in log all
nat on igb0 from { !igb0 } to any -> (igb0)
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
pass in quick on igb0 proto { tcp udp } from any to any port 53
pass in quick on igb1 proto { tcp udp } from any to any port 53
