# SMTP/SMTPS inspection not works using ClamSMTP's transparent proxy



## alfa (Aug 3, 2021)

Hi, i am trying to inspect SMTP/SMTPS traffic to search and detect Viruses and malwares using ClamSMTP program.
But i did not initiate transparent proxying and mail inspection. Here is about my detailed problem.

*1) first scenario*
I am using Thunderbird 78.11.0 email program here is the default configuration:




I am beginner at proxying and I have some errors when i send mail for example from my outlook to yandex.
here is error logs from clamsmtp with above smtp configurations:


```
clamsmtpd: cleaning up completed thread
clamsmtpd: created thread for connection
clamsmtpd: 100007: processing 5 on thread 68b400
clamsmtpd: 100007: accepted connection from: 192.168.8.11
clamsmtpd: 100007: SERVER connected to: 52.97.232.194
clamsmtpd: 100007: SERVER < 220 ZR0P278CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at T
clamsmtpd: 100007: intercepting initial response
clamsmtpd: 100007: CLIENT > 220 smtp.passthru
clamsmtpd: 100007: CLIENT < EHLO [192.168.8.11]
clamsmtpd: 100007: SERVER > EHLO [192.168.8.11]
clamsmtpd: 100007: SERVER < 250-ZR0P278CA0026.outlook.office365.com Hello [212.154.86.180]
clamsmtpd: 100007: intercepting host response
clamsmtpd: 100007: CLIENT > 250-smtp.passthru
clamsmtpd: 100007: SERVER < 250-SIZE 157286400
clamsmtpd: 100007: CLIENT > 250-SIZE 157286400
clamsmtpd: 100007: SERVER < 250-PIPELINING
clamsmtpd: 100007: filtered ESMTP feature: PIPELINING
clamsmtpd: 100007: SERVER < 250-DSN
clamsmtpd: 100007: CLIENT > 250-DSN
clamsmtpd: 100007: SERVER < 250-ENHANCEDSTATUSCODES
clamsmtpd: 100007: CLIENT > 250-ENHANCEDSTATUSCODES
clamsmtpd: 100007: SERVER < 250-STARTTLS
clamsmtpd: 100007: filtered ESMTP feature: STARTTLS
clamsmtpd: 100007: SERVER < 250-8BITMIME
clamsmtpd: 100007: CLIENT > 250-8BITMIME
clamsmtpd: 100007: SERVER < 250-BINARYMIME
clamsmtpd: 100007: filtered ESMTP feature: BINARYMIME
clamsmtpd: 100007: SERVER < 250-CHUNKING
clamsmtpd: 100007: filtered ESMTP feature: CHUNKING
clamsmtpd: 100007: SERVER < 250 SMTPUTF8
clamsmtpd: 100007: CLIENT > 250 SMTPUTF8
clamsmtpd: 100007: CLIENT < QUIT
clamsmtpd: 100007: SERVER > QUIT
clamsmtpd: 100007: SERVER < 221 2.0.0 Service closing transmission channel
clamsmtpd: 100007: CLIENT > 221 2.0.0 Service closing transmission channel
clamsmtpd: 100007: CLIENT connection closed
clamsmtpd: 100007: SERVER connection closed
```

Error Message from Thunderbird:

Sending of the message failed.
An error occurred while sending mail: Unable to establish a secure link with Outgoing server (SMTP) smtp.outlook.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider.

*2) second scenerio 


*


```
clamsmtpd: cleaning up completed thread
clamsmtpd: created thread for connection
clamsmtpd: 100004: processing 4 on thread 68be00
clamsmtpd: 100004: accepted connection from: 192.168.8.11
clamsmtpd: 100004: SERVER connected to: 52.97.232.194
clamsmtpd: 100004: SERVER < 220 ZR0P278CA0019.outlook.office365.com Microsoft ESMTP MAIL Service ready at T
clamsmtpd: 100004: intercepting initial response
clamsmtpd: 100004: CLIENT > 220 smtp.passthru
clamsmtpd: 100004: CLIENT < EHLO [192.168.8.11]
clamsmtpd: 100004: SERVER > EHLO [192.168.8.11]
clamsmtpd: 100004: SERVER < 250-ZR0P278CA0019.outlook.office365.com Hello [212.154.86.180]
clamsmtpd: 100004: intercepting host response
clamsmtpd: 100004: CLIENT > 250-smtp.passthru
clamsmtpd: 100004: SERVER < 250-SIZE 157286400
clamsmtpd: 100004: CLIENT > 250-SIZE 157286400
clamsmtpd: 100004: SERVER < 250-PIPELINING
clamsmtpd: 100004: filtered ESMTP feature: PIPELINING
clamsmtpd: 100004: SERVER < 250-DSN
clamsmtpd: 100004: CLIENT > 250-DSN
clamsmtpd: 100004: SERVER < 250-ENHANCEDSTATUSCODES
clamsmtpd: 100004: CLIENT > 250-ENHANCEDSTATUSCODES
clamsmtpd: 100004: SERVER < 250-STARTTLS
clamsmtpd: 100004: filtered ESMTP feature: STARTTLS
clamsmtpd: 100004: SERVER < 250-8BITMIME
clamsmtpd: 100004: CLIENT > 250-8BITMIME
clamsmtpd: 100004: SERVER < 250-BINARYMIME
clamsmtpd: 100004: filtered ESMTP feature: BINARYMIME
clamsmtpd: 100004: SERVER < 250-CHUNKING
clamsmtpd: 100004: filtered ESMTP feature: CHUNKING
clamsmtpd: 100004: SERVER < 250 SMTPUTF8
clamsmtpd: 100004: CLIENT > 250 SMTPUTF8
clamsmtpd: 100004: CLIENT < MAIL FROM:<x@outlook.com> BODY=8BITMIME SIZE=418
clamsmtpd: 100004: SERVER > MAIL FROM:<x@outlook.com> BODY=8BITMIME SIZE=418
clamsmtpd: 100004: SERVER < 451 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK
clamsmtpd: 100004: CLIENT > 451 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK
clamsmtpd: 100004: CLIENT connection closed
clamsmtpd: 100004: SERVER connection closed
```

Error Message from Thunderbird:
An error occurred while sending mail. The mail server responded: 5.7.3 STARTTLS is required to send mail [ZR0P278CA0019.CHEP278.PROD.OUTLOOK.COM]. Please verify that your email address is correct in your account settings and try again.

Here is ClamSMTP conf. with Transparent Proxy mode:


```
# ------------------------------------------------------------------------------
#                        SAMPLE CLAMSMTPD CONFIG FILE
# ------------------------------------------------------------------------------
#
# - Comments are a line that starts with a #
# - All the options are found below with sample settings


# The address to send scanned mail to.
# This option is required unless TransparentProxy is enabled
#OutAddress: 10026

# The maximum number of connection allowed at once.
# Be sure that clamd can also handle this many connections
MaxConnections: 64

# Amount of time (in seconds) to wait on network IO
TimeOut: 180

# Keep Alives (ie: NOOP's to server)
#KeepAlives: 0

# Send XCLIENT commands to receiving server
#XClient: off

# Address to listen on (defaults to all local addresses on port 10025)
Listen: 0.0.0.0:10025

# The address clamd is listening on
ClamAddress: /var/run/clamav/clamd.sock

# A header to add to all scanned email
Header: X-Virus-Scanned: ClamAV using ClamSMTP %i

# Directory for temporary files
TempDirectory: /tmp

# What to do when we see a virus (use 'bounce' or 'pass' or 'drop'
Action: drop

# Whether or not to keep virus files
#Quarantine: off

# Enable transparent proxy support
TransparentProxy: on

# User to switch to
User: clamav
```

#######

Here is IPFW conf:


```
ipfw -q -f flush

ipfw -q add 1 allow all from any to any out via lo0
ipfw -q add 2 allow all from any to any in via lo0

#ipfw -q add 3 fwd 127.0.0.1,8443 tcp from 192.168.8.0/24 to any 443

## SMTP/SMTPS MAIL PROXY
ipfw -q add 100 fwd 127.0.0.1,10025 tcp from 192.168.8.0/24 to any 587
ipfw -q add 101 fwd 127.0.0.1,10025 tcp from 192.168.8.0/24 to any 25

ipfw -q add 65534 allow ip from any to any
```

Here is PF conf:


```
int_if = "igb1"
ext_if = "igb0"
int_net = "192.168.8.0/24"

set loginterface igb0

# Do not skip lo, we have rules for lo conns
#set skip on lo

scrub in log all

nat on igb0 from { !igb0 } to any -> (igb0)

pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

pass in quick on igb0 proto { tcp udp } from any to any port 53
pass in quick on igb1 proto { tcp udp } from any to any port 53
```


----------



## covacat (Aug 3, 2021)

you can't transparent proxy tls (one of its purposes is protecting MITM eavesdropping)
it looks like the proxy filters msft servers starttls capability

where tls transproxy is done its done by trusting a mitm cert that impersonates the real destination (windows AV/FIREWALLS used to do this)
you are better running a local MTA with clamav plugin or a MUA clamav plugin


----------



## hardworkingnewbie (Aug 3, 2021)

Clamsmtpd seems to have receive no updates since around 2010, or the TLS fork since 2015.

There are well maintained and established alternatives around, which can do virus scans without much problems, like amavisd-new, Mailscanner, rspamd (my new personal favorite) or just integrate clamd directly into your own MTA.

As work around for your Thunderbird problem I do suggest though this, in case this should be done only for this outlook.com mail address: install Nullmailer locally. Configure it to listen at localhost port 10025 without encryption, and relay all mails with transport encryption to outlook.com.

Connect Clamsmtp locally to port 25, and hook it up with Nullmailer at port 10025. That should do that job with your preferred package of choice good enough.

Please note that running ipfw and pf in parallel is not recommended.


----------

