On Wed, Feb 21, 2018 at 06:42:44PM -0500, Demi M. Obenour wrote: > > > On 02/21/2018 04:59 PM, Demi M. Obenour wrote: > > > > On 02/21/2018 08:36 AM, awokd wrote: > >> On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote: > >>> Weird. Proxy logs indicate that the proxy never receives a CONNECT > >>> request from Firefox. > >>> > >>> On Feb 21, 2018 4:08 AM, "awokd" <aw...@danwin1210.me> wrote: > >>> > >>> > >>>> On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: > >>>> > >>>>> I use GMail and Thunderbird for email, and Firefox as my browser. I > >>>>> do email and GitHub from a different domain that is more trusted than > >>>>> others (it’s blue). > >>>>> > >>>>> > >>>>> > >>>>> I would love to restrict its networking abilities by using firewall > >>>>> rules or a filtering proxy. Sadly, I have not been able to do that > >>>> without > >>>>> breaking at least GMail. For firewall rules, the culprit seems to be > >>>>> Google’s use of DNS load balancing, but I am not sure what is > >>>>> breaking for the filtering proxy. OCSP stapling? > >>>>> > >>>>> I would much prefer to be able to restrict network access, but I > >>>>> cannot break what needs to work. Does anyone have suggestions? > >>>> Probably OCSP stapling like you said. Some filtering proxies can be > >>>> configured to pass through SSL/TLS sessions unmolested, but then they > >>>> can't filter them by content. You might also try POP3/SMTP vs. IMAP > >>>> although Gmail probably uses the same types of certs for both. > >> Assuming you're on R3.2, have you seen > >> https://www.qubes-os.org/doc/config/http-filtering-proxy ? > >> https://www.qubes-os.org/doc/firewall might also be useful if you're > >> having firewall issues. > >> > > I did, and finally figured out the problem: > > > > Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only > > over a SOCKS proxy. But the latter is not useful in this case, because > > a SOCKS5 proxy receives an IP address, not a domain name, and so cannot > > filter by domain name. Furthermore, Google uses many, many IP > > addresses, and rotates them frequently, so one cannot usefully filter by > > IP address. > > > > I am going to be reporting this as a Thunderbird bug — the fix is to use > > a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS. In the > > meantime, I have had no choice but to enable all networking for that > > domain. I still gain some security benefit, because Firefox and > > Thunderbird honor the HTTP proxy settings, and so I cannot accidentally > > browse to a dangerous site by mistake. > > > > I wonder if Evolution would be a better choice than Thunderbird. It > > might not have this bug. Does it have a worse history when it comes to > > security? > > > > Demi > I just had a further thought: could I work around this? My thought was > to use /etc/hosts to force Thunderbird to use a specific IP, then proxy > that IP using a trivial C program using libcurl. > > Demi >
You could try whitelisting IMAP to google net ranges - get the SPF records using dig _netblocks.google.com txt I've tried the hosts entries, but it's pretty difficult to do this effectively given the somewhat opaque way that google will reroute traffic. You may as well sell your soul and use the blocks - 74.125.0.0/16 covers a good deal of gmail imap if i recall. At least you'll have some restrictions on outgoing traffic. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180222021719.m4h2nzkojyfzqirt%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
