Problem with Squid3 and outgoing email (SMTP)



  • Hi everyone, long time no see.

    I set up a fresh pfsense instalation (2.3.4_1) in my workplace, and set up DHCP server, DNS forwarder (I find it more friendly than dns resolver), Squid3 and Squidguard to use as a proxy. I've had  done this in version 2.2.X, but I whised to upgrade and be up to date. Also, I configured the proxy to be explicit, using WPAD/PAC (in 2.2.X i used to have it transparent).
    Until here, all good, i created the blacklist using the blacklist file from shallalist.de, I made a custom target category called "White_List" where i put my whitelisted addresses, and all worked as expected, except for 2 topics:
    1.- Now, most of the https connections that are bloqued by squidguard (or are not whitelisted) apprears with the error message: "ERR_TUNNEL_CONNECTION_FAILED" (Google Chrome Browser)
    2.- Every time Someone (it happens with all the employees) Tries to send an email, the task "sending" gets stuck, and the message doesn't come out, the incoming email is received without any kind of issue.

    The email client is outlook, The pop3 protocol is using port 110, the SMTP protocol is using port 587.
    The email server is outside the network (a rented remote server, not Exchange).

    As far as I Know, Squid has no reason to mess with SMTP, but when I was using it as a transparent proxy, I was used to see it "blocking" the communication with another apps and programs like spotify, dropbox, skype, etc, by showing a "TLS Handshake error" so I have my reasons to think that squid could be "blocking" the SMTP communications in the same (or similar) way.

    By now, the users are using another pfsense without squid, in the meantime, so their activities doesn't get interrupted. All is functioning as desired (except that I cant filter what they are allowed to see).

    There is a way to prevent Squid doing this?

    Greetings.



  • The reason why SMTP stopped working? I don't Know…
    How I solved it? In "Services" -> "Squid Proxy Server" -> "ACLs" i went to the field "Unrestricted IPs" and set my LAN net in CIDR Format (192.168.1.0/24), then I went to the field "ACL SSLPorts" and set this "2096 587 443 563"
    After saving, aplying and a reboot, the SMTP was working again.

    Greetings!