[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Proxy support patch



On Tue, Oct 14, 2014 at 10:47:20AM +0200, Martin Lambers wrote:
> > AFAIK, SOCKS4 is totally dead. Some older systems still do SOCKS4a,
> > but it's not that common. It was already implemented so I kept it.
> 
> Then let's start with SOCKS5 only, and add other variants only if
> required.
> 
> > > 2. Nobody protects the SOCKS5 protocol with TLS, right?
> > 
> > I'm sure there exists *some* person who does this, but it's not common
> > in the slightest.
> 
> Good, then let's start with the simple solution here, too.
> 
> > > 3. Is there a valid use case for SOCKS5 authentication? It only
> > > supports unprotected user/password transmission (well, and GSSAPI,
> > > but nobody uses that). This makes it pretty useless.
> > 
> > It's really not any more work to do the basic user/password
> > authentication than it is to do the normal protocol. It just adds one
> > extra step.
> 
> That's right. Still, msmtp currently refuses to send authentication
> data in plaintext over the net unless you force it, and I hesitate to
> add such functionality for proxies. In this day and age, if you add
> network-based authentication methods, they absolutely have to be
> secure.
> 
> I propose the attached patch, which currently uses "localhost:1080" as
> hardcoded proxy (this can be changed later). I tested it against  'ssh
> -D 1080 -N mys-ssh-server'.
> 
> It is similar in functionality to your patch, but
> - only implements SOCKS5 without authentication
> - improves error diagnostics for the proxy connection
> 
> What do you think?
> 
> Martin

Yeah, I'd much rather start out with something simple that works, and
I'm not a huge fan of sending my info in the clear, even over my local
network. Your feedback to the user is much more verbose. I would just
break out the debugger if it didn't work right. :)

I tested the patch as well; it works just fine. My only concern is that
it doesn't give the AI_NUMERICHOST hint when resolving the proxy
server's address. Without that hint a malconfigured client could
possibly attempt to do a nameserver query. Yes, it's the person who set
it up's fault if that happens, but everybody makes mistakes. 

CustaiCo