Oswald Buddenhagen <oswald.buddenha...@gmx.de> writes: > On Thu, Apr 10, 2014 at 07:21:09AM -0400, Chris Nehren wrote: >> On Thu, Apr 10, 2014 at 11:05:36 +0200, Oswald Buddenhagen wrote: >> > On Thu, Apr 10, 2014 at 02:31:54PM +0800, Eric Abrahamsen wrote: >> > > I'm having a hell of a time getting my imap mail through China's >> > > national firewall, even with a VPN. I'm fairly sure it's because all of >> > > my accounts are gmail, and they don't like google/gmail. >> > > >> > if that really is the problem, any kind of tuneling/proxying will do. >> > >> > > Connecting via SSH through the server is another possibility, but SSH >> > > traffic is dicey as well, and I wonder if Google's domain/IP would ever >> > > be visible in the process? >> > > >> > the whole point of ssh tuneling is privacy, so of course nothing of that >> > will be visible. >> >> That depends, actually. If you're not routing DNS through the >> tunnel, then DNS requests will be leaked and the local ISP is >> free to intervene and return whatever they like for them. >> > i don't think there is much to worry about. suppose you use this > command: > > $ ssh -N -L 40143:mail.google.com:143 myproxy.com > > myproxy.com is obviously resolved by your local DNS. you should make > reasonably sure that you actually are getting the ip of your proxy > server, e.g., verifying its fingerprint once you are connected. > > but google.com is resolved by the proxy server. for one, it is resolved > on demand only (i.e., when you actually connect to localhost:40143), and > second because if you log into a NATed network, the client's DNS might > not even know how to resolve the target host. > > fwiw, the best way to use an ssh tunnel with mbsync would be > > Tunnel "ssh myproxy.com tcpconnect mail.google.com 143" > > - in this case it is even more obvious that the resolution will be done > by the proxy, as the tcpconnect command is run there.
Okay, great, thank you for this. I may have succumbed a bit to magical thinking, but it's pretty hard not to get paranoid in these situations -- I think that's part of the point. I'll try with the ssh tunnel, and go from there. Thanks again, Eric ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ isync-devel mailing list isync-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/isync-devel
