Re: [squid-users] SMTP,POP3 and News problems

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 14 Aug 2003 07:22:26 +0200

On Thursday 14 August 2003 06.45, aqil wrote:

> I once asked a similar question, i.e. can squid be an SMTP relay. I
> did realize the capacity of squid which is limited to just http
> proxy.. well, plus ftp proxy.

Squid is NOT an FTP proxy.

Squid can do FTP over HTTP for HTTP clients configured to use Squid as
a proxy, but that is all it does with FTP.

> I know, it's a security precaution... But is it just a simple
> precaution or are there some of you have experienced such thing ...

It is not a security precaution. It is a protocol question.

Squid is a HTTP proxy. To use Squid the client must speak HTTP. SMTP
does not use the HTTP protocol and Squid does not know what do do
with SMTP commands.

For clients which do speak HTTP to proxies squid supports operations
on http://, ftp:// and gopher:// objects. In all cases the client
uses HTTP while speaking to Squid, and Squid translates the HTTP
request into the requested protocol (HTTP / FTP / Gopher). Yes, HTTP
is also translated, but the translation is very simple for http://
requests.

This is also why you need special squid.conf configuration if you are
doing interception caching of port 80. HTTP to proxies look slightly
different from HTTP to web servers.

What is a security precaution is that Squid includes rules which
denies abuse of the HTTP proxy for contacting SMTP and other
non-supported services. Without these security precautions it is
possible for an hacker to construct a carefully constructed HTTP
request which when sent to a SMTP server will in fact send an email
or gives him a connection to a SMTP/IRC/whatever server (depending on
what kind of HTTP message he uses, CONNECT is more dangerous than the
other types).

So even if you disable the security restrictions you will not be able
to use Squid for SMTP. All you acheive by disabling the restrictions
is to allow for hackers (mostly spammers) to abuse the proxy for
relaying email and other non-HTTP services or avoiding your firewall
policies by masquerading their non-HTTP traffic as if it was HTTP.

If you are looking for a generic proxy then you should look into a
SOCKS5 proxy such as Dante. SOCKS5 is a proxy protocol supporing
basically any protocol by working closer to the network layer than
HTTP proxying. SOCKS in principle interceps the applications network
operations and forwards them to the SOCKS server as if the
application was running on the SOCKS server. SOCKS requires support
in the client stations (either application or OS level support).

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Wed Aug 13 2003 - 23:23:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:54 MST