Jump to content

sTunnel for modern email protocols in old email clients


Recommended Posts

2 hours ago, Ben Markson said:

Assuming I've followed this correctly could you use your own personal proxy server like The Proxomitron?

Ben.
 

Well I already have ProxHTTPSProxy installed and in use on IE/Eudora, but routing the Sky sites through that doesn't seem to work, I just get the "insecure connection" page.
I'm guessing this is because it's using localhost and therefore the HOSTS file? :dubbio:
I also have a very old version (4.5 from 2003!)  of Proxomitron installed, although I haven't used it for years.
I'd rather not do it by having yet another program running in the background on the machine just to access a few websites which I don't visit that often anyway.
A reliable online free proxy would be ideal.
:yes:
EDIT: I've now seen that the version of Proxomitron I've already got is the latest (and presumably last) version, over 16 years old!

Edited by Dave-H
Quote added as post has appeared on a new page
Link to comment
Share on other sites


Hi Dave, can you please clarify how to get working ProxHTTPSProxy-Proxomitron to access (in IE8) to websites not compatible with IE8 standard? (we had spoken about it in other topic).

A simple link where it's explained is well enough (i read some forum but still I didn't figure it out)

Thank you

Link to comment
Share on other sites

22 hours ago, Ben Markson said:

Assuming I've followed this correctly could you use your own personal proxy server like The Proxomitron?

Ben.

Unfortunately, for what Dave is doing - blocking a few Web sites in the hosts file, then bypassing those blocks for a particular browser - he needs a proxy server that's outside of his own PC, where it won't be affected by the hosts file.

The Proxomitron might actually work, but it'd need to be on a separate system (although I suppose a VM might be made to work).

Link to comment
Share on other sites

  • 7 months later...

Hi there,

I tried to setup sTunnel on a raspberry pi with the following settings, however it doesn't work whenever I try to use outlook 2003 or outlook 2010:

Quote

peter@peterpi:~ $ sudo apt install stunnel4
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  logcheck-database
The following NEW packages will be installed:
  stunnel4
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 189 kB of archives.
After this operation, 469 kB of additional disk space will be used.
Get:1 http://ftp.halifax.rwth-aachen.de/raspbian/raspbian buster/main armhf stunnel4 armhf 3:5.50-3 [189 kB]
Fetched 189 kB in 0s (424 kB/s)  
Selecting previously unselected package stunnel4.
(Reading database ... 113735 files and directories currently installed.)
Preparing to unpack .../stunnel4_3%3a5.50-3_armhf.deb ...
Unpacking stunnel4 (3:5.50-3) ...
Setting up stunnel4 (3:5.50-3) ...
Warning: The home dir /var/run/stunnel4 you specified can't be accessed: No such
 file or directory
Adding system user `stunnel4' (UID 111) ...
Adding new group `stunnel4' (GID 119) ...
Adding new user `stunnel4' (UID 111) with group `stunnel4' ...
Not creating home directory `/var/run/stunnel4'.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u2+rpi1) ...
peter@peterpi:~ $ nano /etc/stunnel/stunnel.conf
peter@peterpi:~ $ sudo nano /etc/stunnel/stunnel.conf
peter@peterpi:~ $ openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
.........+++++
e is 65537 (0x010001)

peter@peterpi:~ $ nano /etc/stunnel/stunnel.conf
peter@peterpi:~ $ sudo nano /etc/stunnel/stunnel.conf
peter@peterpi:~ $ 

Quote

 

debug = 4
engine = capi
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1

[lima-imap]
client = yes
EngineID = capi
accept = 192.168.178.106:993
connect = mail.lima-city.de:993

[lima-smtp]
clinet = yes
EngineID = capi
accept = 192.168.178.106
connect = mail.lima-city.de:465

[lima-imap]
client = yes
EngineID = capi
accept = 192.168.178.21:993
connect = mail.lima-city.de:993

[lima-imap]
client = yes
EngineID = capi
accept = 192.168.178.27
connect = mail.lima-city.de:993

[lima-smtp]
clinet = yes
EngineID = capi
accept = 192.168.178.27
connect = mail.lima-city.de:465

[lima-smtp]
clinet = yes
EngineID = capi
accept = 192.168.178.21:465
connect = mail.lima-city.de:465

 

The ip addresses you're seeing are the ones of the computer inside my network that will have to connect to the pi in order to get access to the email. 

Any idea?

I'm actually doing this configuration together with @neverseen.

Edited by FranceBB
Link to comment
Share on other sites

  • 1 year later...

Hi all, sorry to raise this thread again, but another problem has just manifested itself.

Suddenly, between Wednesday night and Thursday morning this week, my Eudora e-mail client stopped working again with e-mails from Sky, and several other senders too. Quite literally, it was working Wednesday night, on Thursday morning it wasn't, for no apparent reason!

Everything seems to be as normal, with my HOSTS file and ProxHTTPSProxy, but the messages now take an age to display, about two minutes, and when they do finally display there are elements missing.

Specifically, the Sky logo at the top is missing from the Sky e-mails.
I've tried looking at the source of the messages, and this is the URL of the logo -

https://helpforum.sky.com/html/assets/sky-community-v6.png

If I try to access that in IE8 it won't display.
There is a very long delay, and then I get -

502: HTTPError

The following error occurred while trying to access https://helpforum.sky.com/html/assets/sky-community-v6.png

HTTPSConnectionPool(host='helpforum.sky.com', port=443): Max retries exceeded with url: /html/assets/sky-community-v6.png (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)'),))

Generated on 2021-06-04 19:36:11.914875 by ProxHTTPSProxyMII RearProxy/v1.5.

So, anyone any idea what's suddenly started happening here?

The only thing I can think of that was changed on the system on Wednesday was installing the latest Root Certificates update.
I thought that might be the culprit, so I tried rolling it back to the previous version.
It seems that all the system certificate information is in the registry, so I rolled back the registry using ERUNT to a time before the certificates update was done, which made no difference at all.
Should I have done anything else to roll it back?

Any help gratefully received!
This is very annoying when my setup has now worked for well over a year!
Thanks, Dave.
:)

Link to comment
Share on other sites

Sadly not.
I normally only have the system set to use the proxy with https sites, and without it the http URL just produces the standard "Internet Explorer cannot display the webpage" message, with no specific reason given.
If I set things to use the proxy on http sites as well as https after again a very long delay I get this -

502: HTTPError

The following error occurred while trying to access http://helpforum.sky.com/html/assets/sky-community-v6.png

HTTPConnectionPool(host='helpforum.sky.com', port=80): Max retries exceeded with url: /html/assets/sky-community-v6.png (Caused by NewConnectionError(': Failed to establish a new connection: [WinError 10065] A socket operation was attempted to an unreachable host',))

Generated on 2021-06-05 18:25:12.087625 by ProxHTTPSProxyMII FrontProxy/v1.5.

So, a different message!
:dubbio:

Link to comment
Share on other sites

Sounds like a new kind of tcpip connection forwarding is being used. Or perhaps a certificate expired. Can you access the url from any other browser on that machine, with or without the proxy?

What browsers do the Sky and helpforum websites work in? Have you reported the problem to Sky?

"other senders"?

 

Edited by jumper
... expired
Link to comment
Share on other sites

Thanks, yes I am suspicious that it is an expired certificate.
Presumably the fact that it seemed to happen when I updated the system root certificates is just coincidence?
As I said, I tried rolling the registry back to before the update but it didn't make any difference, but i wasn't at all sure whether that was enough.

The https URL can actually be reached by Google Chrome 49, which also uses ProxHTTPSProxy, and by IE8, but only after an enormous delay.
The http URL works almost immediately in Google Chrome 49, but in IE8, again after a very long delay, I get the standard "cannot display the webpage" message without ProxHTTPSProxy, and with it enabled on http connections, it works after again a very long delay.

Image1.thumb.jpg.86dddc12473356d26c75dda07fc5dcf9.jpg

What is puzzling me now is why IE8 is failing to display an image over a standard http connection, which Google Chrome seems to have no problem with!
It presumably shouldn't have to have the proxy running to do that if it's not a secure connection.
:dubbio:

Link to comment
Share on other sites

Just to add that it's not only images from Sky's servers which are affected, quite a few other e-mails are also not displaying in Eudora like they used to, with usually no images, or indeed nothing at all, and then they suddenly display after a very long delay (and I mean over a minute!) They then display fine.

I'm still suspicious of the Root Certificates update.

@heinoganda

:dubbio:
 

Link to comment
Share on other sites

I'm probably not able to offer substantial help on this problem, being on Vista SP2 32-bit myself, but:

IE9 has no issues here loading instantly the plain HTTP version of the logo:

4MCaRN7.jpg

IE9 (with WS2008 fixes to enable it with TLS v1.2 support) has no issues instantly loading the secure (HTTPS) version of the logo:

4yx3ZDH.jpg

In the attachment I have also included the Certification Path; IE9, just like IE8/WinXP, uses the OS certstore: top is the Root CA [Sectigo (AAA)], then two intermediate certs, last is the server (helpforum.sky.com) cert; none of these four certs has been recently changed (updated/expired) ; below is server cert in question:

tML5lhq.jpg

What would be more relevant with your case is my attempt to load the "secure" logo in IE9 via ProxHTTPSProxyMII; as with previous tests, it has no issue whatsoever instantly loading that logo:

FqdNJX6.jpg

But while standalone IE uses the OS certstore, when connecting through ProxHTTPSProxyMII it doesn't; it just trusts as Root CA the (manually imported) proxy's cert:

ien9vID.jpg

How long ago was the last time you manually generated a fresh ProxHTTPSProxy CA?

https://curl.se/docs/caextract.html

says the most recent cacert.pem file was generated on May 25th 2021 04:12 BST; download file "cacert-2021-05-25.pem", rename it to cacert.pem and place it inside ProxHTTPSProxyMII's root directory (overwriting, if necessary); empty fully the Certs folder of its content; delete file CA.crt; launch once ProxHTTPSProxyMII

GYFl0NY.jpg

Close ProxHTTPSProxyMII and manually import the freshly generated CA.crt file into IE8; relaunch ProxHTTPSProxyMII and try anew...

QTGMYFA.jpg

I have no clue why your copy of IE8 isn't able to load
http://helpforum.sky.com/html/assets/sky-community-v6.png

Have you changed recently any of your DNS settings? Perhaps your Anti-Malware solution is interfering?
Grasping at straws on this... :(
As for loading the secure version of the logo in IE8 without ProxHTTPSProxyMII,
https://helpforum.sky.com/html/assets/sky-community-v6.png
this isn't possible under XP, because SNI support is required (Vista+) ... :(

Link to comment
Share on other sites

Thanks!

I tried all that, but unfortunately it seems to have made no difference.
I did find there were now two entries for ProxHTTPSProxy CA in the list of Trusted Root Certification Authorities, the original one and the new one I imported.
I deleted the old one, I assume that was the right thing to do.

What I'm seeing in the Proxy console when I load one of the Sky e-mails in Eudora is -

"EOF occurred in violation of protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [helpforum.sky.com:443]

There is just a leading quotation mark at the beginning of the line, as shown, but no second one anywhere.

I've seen this before, and I seem to remember I had a lot of trouble determining what "EOF" means in this context!
"End of <something>" I assume, but what?

:dubbio:

Link to comment
Share on other sites

5 hours ago, Dave-H said:

I did find there were now two entries for ProxHTTPSProxy CA in the list of Trusted Root Certification Authorities,
the original one and the new one I imported.
I deleted the old one, I assume that was the right thing to do.

... You were supposed to first remove the older proxy CA, then import the freshly generated one...
If you're sure you did remove the older of the two, I suppose you're fine...

EOF = "End of File", but my Python-fu is extremely limited :} ... It's a sad thing that master @heinoganda doesn't live in these places anymore... :( You are definitely experiencing an SSL/TLS issue (as you said, not only limited to *sky.com hostnames), but what?

Also of worry is your inability to open
http://helpforum.sky.com/html/assets/sky-community-v6.png

in IE8; I've checked and this plain HTTP URI doesn't auto-redirect to its secure (HTTPS) variant...
Is any other member here on Windows XP SP3 able to load that non-secure URI in IE8?
Just to confirm something's awry at your end, or not... :dubbio:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...