2 Firewall avoidance measures

[Jeremy Howard]

If you don't need to access IMAP or SMTP from work, or your workplace is modern enough to allow you to connect directly to FastMail.FM using IMAP or SMTP, then you don't need to read this. If your workplace has one of those annoying firewalls with blocked ports everywhere, then this will be of interest to you.

Please, if you're not behind a firewall that is stopping you from accessing FastMail.FM, do not use the measures detailed below, because they're slower for you and more resource intensive for us.

You can now access FastMail.FM IMAP by using the server imap.proxy.fastmail.fm. Which port you ask? Any port will do (except port 80)! Try using port 443, and if that doesn't work, try 70, 22, 23, or 21. 443 is often open because it is for SSL HTTP connections (i.e. secure web sites) which are hard to proxy and should never be cached. For other services, here are the servers to use (again, any port at all will work, as long as it is not blocked by your firewall):

• imap.proxy.fastmail.fm: Normal IMAP
• imaps.proxy.fastmail.fm: SSL secured IMAP
• smtp.proxy.fastmail.fm: SMTP
• pop.proxy.fastmail.fm: POP
• pops.proxy.fastmail.fm: SSL secured POP
• http.proxy.fastmail.fm: HTTP (standard web site)
• https.proxy.fastmail.fm: HTTPS (SSL secured web)

You're unlikely to need http/https.proxy.fastmail.fm, since it would be an odd work-place that blocked web sites... still, it could be useful if you have a port open but don't have access to port 80 because you don't have rights to use the proxy server.

Once you've found a port that's open on your firewall, you can use the same port for all of your services.

----techie hack follows----
The only people still stuck are those behind a firewall with no ports open, where the only access to the internet is through an HTTP proxy server (these sites can use no internet service other than the web). If that's you, you need to grab http://jhoward.fastmail.fm/tunnel.zip (if you run Windows) and follow the instructions in the enclosed readme. To actually run the tunnel software run "htc_fm.vbs". To stop the tunnel you have to kill the 'htc' processes using task manager. Please note that this "HTTP tunneling" is considered highly experimental and at this stage is only for people familiar with networking prepared to support themselves. No support for this will be provided by the webmaster email address. However if you do play with it please report your results on the forum. Full source code is available--I've been finding it a bit flakey, so if you improve things by hacking the code please share your results!

[Edwin]

It's worth noting that some less-than-enlightened companies may see such vigorous attempts to circumvent the security they have put in place surrounding corporate internet access as a serious breach of workplace regulations, with whatever minor or major consequences that brings in the organization you work for.

But as long as you know and are aware of what you're doing, Jeremy's suggestions should be very welcome!

[Jeremy Howard]

True. Where "less-than-enlightened" is defined as "brain-dead-tyrants"...

Seriously, thanks for pointing this out Edwin--it's a good point. Now everyone go and read another thread so that I can rant in peace in the rest of this post...

There's no excuse for not letting connection attempts on IMAP, POP, and SMTP ports out of a company firewall. There's good security reasons not to let them in but that's another matter altogether. In my experience across-the-board port-blocking is most often caused by either laziness (IT department can't be bothered learning about how to secure a network without obstructing users) or just the general need to feel powerful.

When I worked as a management consultant I worked in a wide range of large companies, almost all of which blocked almost all outgoing ports, and none of which were able to justify their actions when I asked them about it. And in each case I saw users lose hours of time because of their inability to use Internet services that they required.

So I'm unapologetically helping those obstructed by these policies. But of course if your work-place has a "though shalt not constructively utilise the full power of the Internet to make you more productive in your job" policy, then arguments to IT management that the policy is stupid are likely to fall of deaf ears. So be aware of your company's security policies before you decide to bypass any "security" measures.

[pobelly]

i hope this means you're feeling better.

[emailmaniac]

Quote:

Originally posted by pobelly
yay! ranting!

Yep! He's back in top form, isn't he?!?

[heldopsokken]

What about a firewall and no DNS in the network. What to do then. I can use explorer and I guess that the lookup's are forwareded to the proxy.

Grtz, Held

[Jeremy Howard]

If you don't have DNS other than through the http proxy, but you do have an open port through your firewall, then use the IP addresses instead. Here they are:

• smtp 64.49.230.104
• imap 64.49.230.102
• imaps 64.49.230.101
• pop 64.49.230.100
• pops 64.49.230.99
• http 64.49.230.98
• https 64.49.230.97

[Mark Flaws]

I'm one of those that must use a proxy server at work. Here is my experience with HTTP Tunneling:

It usually works for the first IMAP connection - pulls down new emails. Subsequent connection (or maybe after a timout?), e.g. to move/delete an email, just clocks. Have to kill/restart tunneling to continue. Using NT4SP6, Mozilla 0.9.7.

Thanks for thinking of us. I'll post if I get it to work better.

[rpiccand]

I've struggled trying to install the above-mentionned HTTP tunnel with Win2000, without success.

However, it took me just a few seconds to install THE FREE http tunnel, found at http://http-tunnel.com/.

Once installed, configure the proxy (hostname : port). Then goto Settings, Add applications/ports and add "imap.proxy.fastmail.fm", destination port 443 (example) and http-tunnel will give out a "local port" (1024 in this case).

You can now configure your imap settings (in Outlook Express for instance) so that it reaches "localhost" on port "1024" ...

That's it !!

Thank you to the guys at http-tunnel.com !!

Régis

[Jeremy Howard]

Yes, I think that the httptunnel program that we're using is still too flakey. If any C network programming gurus feel like fixing it, the C source is here: http://www.nocrew.org/software/httptunnel.html . Let me know if you make a start because I've got some ideas.

The www.http-tunnel.com service is a good one--sorry I forgot to mention it. They require payment to get better than modem speeds ($5/month) but the free service is fine otherwise.

[Mark Flaws]

Thanks, Régis and Jeremy.

http-tunnel.com is working for me. Rather than going to xxx.proxy.fastmail.fm, I configured it to go directly to fastmail.fm on port 143. I set my IMAP client to localhost 143.

I can feel the sluggish response, but it's ok for light use.

[jam]

My god. That's exactly what I was looking for.
I don't suppose this will still be around when the service goes pay. <wist>

-jam

[mlevin]

I see that you added secure IMAP and POP for non-proxy users. What's the word on secure SMTP?

Thanks

[Jeremy Howard]

Yes for POP and IMAP (port 995 and 993 respectively). No for SMTP (yet).

[mlevin]

Quote:

Originally posted by Jeremy Howard
Yes for POP and IMAP (port 995 and 993 respectively). No for SMTP (yet).

I just tried enabling SSL on IMAP in Outlook Express and it seems to work, but I always get the error dialog "CN does not match" when I start up. Any way to avoid that?

A while back, I was told to use 21 as the alternate SMTP port if 25 was blocked -- I have also seen postings about using 26. Does it make any difference which one I use? Are they all just different instances of the daemon running the same config file?