Note: This is about full transparent proxying where both the server and client are unaware of the proxy from teh packets. This is far more complex than the simpler client transparent proxy.
A transparent proxy is when you grab a certain type of traffic at your gateway or router and send it through a proxy without the knowledge of the user or client. Here's are some notes on how to use ProxSMTP as a full transparent proxy to filter SMTP traffic going in or out of your network.
You need to be an expert at routing, firewalls and system administration to make this work. These are just notes, not a tutorial.
Note that certain features of SMTP are disabled when going through proxsmtpd, most notably SSL/TLS. Authentication does however work. Full transparent proxying has only been tested in very recent versions of Linux (using iptables). Linux 2.6.37 and later is recommended.
This setup assumes the proxsmtpd proxy is running on the same machine as the gateway. Running it on a different machine is possible, but is far more complicated to setup.
The transparent proxy becomes the endpoint for TCP connections, and establishes a new outgoing TCP connection to the destination server.
With 'full' transparent proxy, this new outgoing connection has a spoofed source IP address which makes it look like that connection is coming from the original machine.
<---c---- <---d----
CLIENT ----a---> PROXY ----b---> DESTINATION
Note that there are 4 packet streams taking place:
None of the packets have the proxy IP address in either their source or destination IP fields.
All the above packet streams must travel through the proxy box. Usually one of the following is true:
The following kernel module must be loaded:
# modprobe nf_conntrack_ipv4
The following iptables configuration is run on the proxy box. Perhaps via rc.local or your method of choice.
# iptables -t mangle -N DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01 # iptables -t mangle -A DIVERT -j ACCEPT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TPROXY \ # --tproxy-mark 0x1/0x1 --on-port 10025
The following ip routing configuration is run on the proxy box. Again could be via rc.local
# ip route flush table 100 # ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100
IP forwarding must be enabled on the box:
# echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter # echo 1 > /proc/sys/net/ipv4/ip_forward
The proxsmtp configuration should be setup in proxsmtpd.conf. Usually one would create a unix user for this purpose. Substitute nobody in the config below. The location of proxsmtpd.conf can be determined by running proxsmtpd -v. Make sure the following options are set:
TransparentProxy: full
To troubleshoot proxsmtpd, you can check for error messages in /var/log/maillog
But for debug information you will want to run proxsmtpd like this:
# proxsmtpd -d 4
To see if your iptables rules are matching packets run:
# iptables -t mangle -L -v