显示HN：SMTP隧道 – 伪装成电子邮件流量的SOCKS5代理，用于绕过DPI

显示HN：SMTP隧道 – 伪装成电子邮件流量的SOCKS5代理，用于绕过DPI
Show HN: SMTP Tunnel – A SOCKS5 proxy disguised as email traffic to bypass DPI

原始链接: https://github.com/x011/smtp-tunnel-proxy

## SMTP隧道代理：摘要 SMTP隧道代理创建一个高速、隐蔽的隧道，将流量伪装成标准的SMTP电子邮件通信，以绕过深度包检测（DPI）防火墙。它建立一个SOCKS5代理（默认端口1080），允许任何应用程序通过隧道路由流量。 **主要特点：** TLS加密，通过SMTP握手模拟规避DPI，多用户支持，具有每用户的密钥和IP白名单，以及通过一键脚本在Linux VPS上轻松安装（需要Python 3.8+）。提供适用于Windows、macOS和Linux的客户端。 **设置：** 需要一个域名（推荐DuckDNS）用于TLS证书验证。安装程序可自动生成证书和配置服务。用户通过命令行工具添加，生成带有预配置设置的客户端包。 **安全性：** 强调TLS 1.2+加密，使用HMAC-SHA256进行每用户身份验证，并提供可选的IP白名单进行访问控制。提供详细的技术文档和安全分析。 **重要提示：** 此工具旨在用于合法的隐私和反审查，用户有责任遵守所有适用法律。

## SMTP隧道：绕过深度包检测一个新项目，[smtp-tunnel-proxy](https://github.com/x011/smtp-tunnel-proxy)，提供了一个伪装成正常SMTP电子邮件流量的SOCKS5代理，旨在绕过深度包检测（DPI）防火墙。该工具创建一个本地代理，通过SMTP会话隧道传输流量，对网络监控而言，看起来像是合法的电子邮件通信。主要功能包括在Linux VPS上的一键安装，具有安全功能的的多用户支持，自动生成的客户端包以及自动重连。虽然可能对规避审查有用，但评论员指出，大量的类似SMTP的流量很容易被标记为可疑。讨论强调了SMTP作为伪装的局限性，建议HTTPS或WebRTC等协议由于其更高的流量和复杂性，效果更好。一些用户分享了使用类似技术（如通过HTTPS的SSH）绕过网络限制的经验。该项目的起源存在争议，一些人推测可能是由于readme的风格而使用了AI辅助。最终，该工具的有效性取决于它试图绕过的特定DPI实现。

原文

A high-speed covert tunnel that disguises TCP traffic as SMTP email communication to bypass Deep Packet Inspection (DPI) firewalls.

┌─────────────┐      ┌─────────────┐      ┌─────────────┐      ┌──────────────┐
│ Application │─────▶│   Client    │─────▶│   Server    │─────▶│  Internet    │
│  (Browser)  │ TCP  │ SOCKS5:1080 │ SMTP │  Port 587   │ TCP  │              │
│             │◀─────│             │◀─────│             │◀─────│              │
└─────────────┘      └─────────────┘      └─────────────┘      └──────────────┘
                            │                    │
                            │   Looks like       │
                            │   Email Traffic    │
                            ▼                    ▼
                     ┌────────────────────────────────┐
                     │     DPI Firewall               │
                     │  ✅ Sees: Normal SMTP Session  │
                     │  ❌ Cannot see: Tunnel Data    │
                     └────────────────────────────────┘

Feature	Description
🔒 TLS Encryption	All traffic encrypted with TLS 1.2+ after STARTTLS
🎭 DPI Evasion	Initial handshake mimics real SMTP servers (Postfix)
⚡ High Speed	Binary streaming protocol after handshake - minimal overhead
👥 Multi-User	Per-user secrets, IP whitelists, and logging settings
🔑 Authentication	Per-user pre-shared keys with HMAC-SHA256
🌐 SOCKS5 Proxy	Standard proxy interface - works with any application
📡 Multiplexing	Multiple connections over single tunnel
🛡️ IP Whitelist	Per-user access control by IP address/CIDR
📦 Easy Install	One-liner server installation with systemd service
🎁 Client Packages	Auto-generated ZIP files for each user
🔄 Auto-Reconnect	Client automatically reconnects on connection loss

📚 For in-depth technical details, protocol specifications, and security analysis, see TECHNICAL.md.

Server: Linux VPS with Python 3.8+, port 587 open
Client: Windows/macOS/Linux with Python 3.8+
Domain name: Required for TLS certificate verification (free options: DuckDNS, No-IP, FreeDNS)

Step 1️⃣: Get a Domain Name

Get a free domain pointing to your VPS:

🦆 DuckDNS - Recommended, simple and free
🌐 No-IP - Free tier available
🆓 FreeDNS - Many domain options

Example: myserver.duckdns.org → 203.0.113.50 (your VPS IP)

Step 2️⃣: Run the Installer

curl -sSL https://raw.githubusercontent.com/x011/smtp-tunnel-proxy/main/install.sh | sudo bash

The installer will:

📥 Download and install everything
❓ Ask for your domain name
🔐 Generate TLS certificates automatically
👤 Offer to create your first user
🔥 Configure firewall
🚀 Start the service

That's it! Your server is ready.

smtp-tunnel-adduser bob      # Add user + generate client ZIP
smtp-tunnel-listusers        # List all users
smtp-tunnel-deluser bob      # Remove a user

smtp-tunnel-update           # Updates code, preserves config/certs/users

Option A: Easy Way (Recommended)

Get your username.zip file from the server admin
Extract the ZIP file
Run the launcher:

Platform	How to Run
🪟 Windows	Double-click `start.bat`
🐧 Linux	Run `./start.sh`
🍎 macOS	Run `./start.sh`

The launcher will automatically install dependencies and start the client.

✅ You should see:

SMTP Tunnel Proxy Client
User: alice

[INFO] Starting SMTP Tunnel...
[INFO] SOCKS5 proxy will be available at 127.0.0.1:1080

Connecting to myserver.duckdns.org:587
Connected - binary mode active
SOCKS5 proxy on 127.0.0.1:1080

cd alice
pip install -r requirements.txt
python client.py

Option C: Custom Configuration

# Download files
scp [email protected]:/etc/smtp-tunnel/ca.crt .

# Create config.yaml:
cat > config.yaml << EOF
client:
  server_host: "myserver.duckdns.org"
  server_port: 587
  socks_port: 1080
  username: "alice"
  secret: "your-secret-from-admin"
  ca_cert: "ca.crt"
EOF

# Run client
python client.py -c config.yaml

🌐 Configure Your Applications

Set SOCKS5 proxy to: 127.0.0.1:1080

Settings → Network Settings → Settings
Manual proxy configuration
SOCKS Host: 127.0.0.1, Port: 1080
Select SOCKS v5
✅ Check "Proxy DNS when using SOCKS v5"

Install "Proxy SwitchyOmega" extension
Create profile with SOCKS5: 127.0.0.1:1080

🪟 Windows (System-wide)

Settings → Network & Internet → Proxy → Manual setup → socks=127.0.0.1:1080

System Preferences → Network → Advanced → Proxies → SOCKS Proxy → 127.0.0.1:1080

export ALL_PROXY=socks5://127.0.0.1:1080

# curl
curl -x socks5h://127.0.0.1:1080 https://ifconfig.me

# git
git config --global http.proxy socks5://127.0.0.1:1080

# Environment variable
export ALL_PROXY=socks5://127.0.0.1:1080

# Should show your VPS IP
curl -x socks5://127.0.0.1:1080 https://ifconfig.me

⚙️ Configuration Reference

🖥️ Server Options (`config.yaml`)

Option	Description	Default
`host`	Listen interface	`0.0.0.0`
`port`	Listen port	`587`
`hostname`	SMTP hostname (must match certificate)	`mail.example.com`
`cert_file`	TLS certificate path	`server.crt`
`key_file`	TLS private key path	`server.key`
`users_file`	Path to users configuration	`users.yaml`
`log_users`	Global logging setting	`true`

👥 User Options (`users.yaml`)

Each user can have individual settings:

users:
  alice:
    secret: "auto-generated-secret"
    # whitelist:              # Optional: restrict to specific IPs
    #   - "192.168.1.100"
    #   - "10.0.0.0/8"        # CIDR notation supported
    # logging: true           # Optional: disable to stop logging this user

  bob:
    secret: "another-secret"
    whitelist:
      - "203.0.113.50"        # Bob can only connect from this IP
    logging: false            # Don't log Bob's activity

Option	Description	Default
`secret`	User's authentication secret	Required
`whitelist`	Allowed IPs for this user (CIDR supported)	All IPs
`logging`	Enable activity logging for this user	`true`

Option	Description	Default
`server_host`	Server domain name	Required
`server_port`	Server port	`587`
`socks_port`	Local SOCKS5 port	`1080`
`socks_host`	Local SOCKS5 interface	`127.0.0.1`
`username`	Your username	Required
`secret`	Your authentication secret	Required
`ca_cert`	CA certificate for verification	Recommended

# Check status
sudo systemctl status smtp-tunnel

# Restart after config changes
sudo systemctl restart smtp-tunnel

# View logs
sudo journalctl -u smtp-tunnel -n 100

# Uninstall
sudo /opt/smtp-tunnel/uninstall.sh

🔧 Command Line Options

python server.py [-c CONFIG] [-d]

  -c, --config    Config file (default: config.yaml)
  -d, --debug     Enable debug logging

python client.py [-c CONFIG] [--server HOST] [--server-port PORT]
                 [-p SOCKS_PORT] [-u USERNAME] [-s SECRET] [--ca-cert FILE] [-d]

  -c, --config      Config file (default: config.yaml)
  --server          Override server domain
  --server-port     Override server port
  -p, --socks-port  Override local SOCKS port
  -u, --username    Your username
  -s, --secret      Override secret
  --ca-cert         CA certificate path
  -d, --debug       Enable debug logging

smtp-tunnel-adduser <username> [-u USERS_FILE] [-c CONFIG] [--no-zip]
    Add a new user and generate client package

smtp-tunnel-deluser <username> [-u USERS_FILE] [-f]
    Remove a user (use -f to skip confirmation)

smtp-tunnel-listusers [-u USERS_FILE] [-v]
    List all users (use -v for detailed info)

smtp-tunnel-update
    Update server to latest version (preserves config/certs/users)

smtp_proxy/
├── 📄 server.py               # Server (runs on VPS)
├── 📄 client.py               # Client (runs locally)
├── 📄 common.py               # Shared utilities
├── 📄 generate_certs.py       # Certificate generator
├── 📄 config.yaml             # Server/client configuration
├── 📄 users.yaml              # User database
├── 📄 requirements.txt        # Python dependencies
├── 📄 install.sh              # One-liner server installer
├── 📄 smtp-tunnel.service     # Systemd unit file
├── 🔧 smtp-tunnel-adduser     # Add user script
├── 🔧 smtp-tunnel-deluser     # Remove user script
├── 🔧 smtp-tunnel-listusers   # List users script
├── 🔧 smtp-tunnel-update      # Update server script
├── 📄 README.md               # This file
└── 📄 TECHNICAL.md            # Technical documentation

📦 Installation Paths (after install.sh)

/opt/smtp-tunnel/              # Application files
/etc/smtp-tunnel/              # Configuration files
  ├── config.yaml
  ├── users.yaml
  ├── server.crt
  ├── server.key
  └── ca.crt
/usr/local/bin/                # Management commands
  ├── smtp-tunnel-adduser
  ├── smtp-tunnel-deluser
  ├── smtp-tunnel-listusers
  └── smtp-tunnel-update

Check server is running: systemctl status smtp-tunnel or ps aux | grep server.py
Check port is open: netstat -tlnp | grep 587
Check firewall: ufw status

Verify username and secret match in users.yaml
Check server time is accurate (within 5 minutes)
Run smtp-tunnel-listusers -v to verify user exists

Check user's whitelist in users.yaml
Your current IP must match a whitelist entry
CIDR notation is supported (e.g., 10.0.0.0/8)

❌ "Certificate verify failed"

Ensure you're using a domain name, not IP address
Verify server_host matches the certificate hostname
Ensure you have the correct ca.crt from the server

# Enable detailed logging
python server.py -d
python client.py -d

# View systemd logs
journalctl -u smtp-tunnel -f

✅ Always use a domain name for proper TLS verification
✅ Always use ca_cert to prevent man-in-the-middle attacks
✅ Use smtp-tunnel-adduser to generate strong secrets automatically
✅ Use per-user IP whitelists if you know client IPs
✅ Protect users.yaml - contains all user secrets (chmod 600)
✅ Disable logging for sensitive users with logging: false

📚 For detailed security analysis and threat model, see TECHNICAL.md.

This project is provided for educational and authorized use only. Use responsibly and in accordance with applicable laws.

This tool is designed for legitimate privacy and censorship circumvention purposes. Users are responsible for ensuring their use complies with applicable laws and regulations.

Made with ❤️ for internet freedom