I have the following configuration under squid.conf. However, when my Blackberry email client attempts to fetch new emails, etc. Squid access log show the following error:
imap.gmail.com "CONNECT imap.gmail.com:993 HTTP/1.1" 403 3465 "-" "-" TCP_DENIED:NONE
smtp.gmail.com "CONNECT smtp.gmail.com:465 HTTP/1.1" 403 3465 "-" "-" TCP_DENIED:NONE
Consequently, no emails are fetched.
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
What could be the issue? Anyway to bypass this?
Best Answer
The CONNECT command is used to build a tunnel through the proxy to some other host. It is usually used by the browser to connect to a remote server via https, i.e. built the tunnel and then upgrade the connection inside the tunnel to SSL and then speak HTTP inside this SSL tunnel. Since there is a risk that somebody might use this tunnel to connect to arbitrary ports (like port 25 to send spam via SMTP) it is by default restricted to the standard port for https, e.g. 443.
What you are trying to do is to use this tunnel not for https, but for imaps (port 993). This is denied because of these security settings. If you want to allow it you need to add port 993 to the
SSL_portsACL and restart the proxy.