π§ SMTP Tunnel Proxy
A high-speed covert tunnel that disguises TCP traffic as SMTP email communication to bypass Deep Packet Inspection (DPI) firewalls.
βββββββββββββββ βββββββββββββββ βββββββββββββββ ββββββββββββββββ
β Application βββββββΆβ Client βββββββΆβ Server βββββββΆβ Internet β
β (Browser) β TCP β SOCKS5:1080 β SMTP β Port 587 β TCP β β
β ββββββββ ββββββββ ββββββββ β
βββββββββββββββ βββββββββββββββ βββββββββββββββ ββββββββββββββββ
β β
β Looks like β
β Email Traffic β
βΌ βΌ
ββββββββββββββββββββββββββββββββββ
β DPI Firewall β
β β
Sees: Normal SMTP Session β
β β Cannot see: Tunnel Data β
ββββββββββββββββββββββββββββββββββ
π― Features
| Feature | Description |
|---|---|
| π TLS Encryption | All traffic encrypted with TLS 1.2+ after STARTTLS |
| π DPI Evasion | Initial handshake mimics real SMTP servers (Postfix) |
| β‘ High Speed | Binary streaming protocol after handshake - minimal overhead |
| π₯ Multi-User | Per-user secrets, IP whitelists, and logging settings |
| π Authentication | Per-user pre-shared keys with HMAC-SHA256 |
| π SOCKS5 Proxy | Standard proxy interface - works with any application |
| π‘ Multiplexing | Multiple connections over single tunnel |
| π‘οΈ IP Whitelist | Per-user access control by IP address/CIDR |
| π¦ Easy Install | One-liner server installation with systemd service |
| π Client Packages | Auto-generated ZIP files for each user |
| π Auto-Reconnect | Client automatically reconnects on connection loss |
π For in-depth technical details, protocol specifications, and security analysis, see TECHNICAL.md.
β‘ Quick Start
π Prerequisites
- Server: Linux VPS with Python 3.8+, port 587 open
- Client: Windows/macOS/Linux with Python 3.8+
- Domain name: Required for TLS certificate verification (free options: DuckDNS, No-IP, FreeDNS)
π Server Setup (VPS)
Step 1οΈβ£: Get a Domain Name
Get a free domain pointing to your VPS:
- π¦ DuckDNS - Recommended, simple and free
- π No-IP - Free tier available
- π FreeDNS - Many domain options
Example: myserver.duckdns.org β 203.0.113.50 (your VPS IP)
Step 2οΈβ£: Run the Installer
curl -sSL https://raw.githubusercontent.com/x011/smtp-tunnel-proxy/main/install.sh | sudo bashThe installer will:
- π₯ Download and install everything
- β Ask for your domain name
- π Generate TLS certificates automatically
- π€ Offer to create your first user
- π₯ Configure firewall
- π Start the service
That's it! Your server is ready.
β Add More Users Later
smtp-tunnel-adduser bob # Add user + generate client ZIP smtp-tunnel-listusers # List all users smtp-tunnel-deluser bob # Remove a user
π Update Server
smtp-tunnel-update # Updates code, preserves config/certs/usersπ» Client Setup
Option A: Easy Way (Recommended)
- Get your
username.zipfile from the server admin - Extract the ZIP file
- Run the launcher:
| Platform | How to Run |
|---|---|
| πͺ Windows | Double-click start.bat |
| π§ Linux | Run ./start.sh |
| π macOS | Run ./start.sh |
The launcher will automatically install dependencies and start the client.
β You should see:
SMTP Tunnel Proxy Client
User: alice
[INFO] Starting SMTP Tunnel...
[INFO] SOCKS5 proxy will be available at 127.0.0.1:1080
Connecting to myserver.duckdns.org:587
Connected - binary mode active
SOCKS5 proxy on 127.0.0.1:1080
Option B: Manual Way
cd alice
pip install -r requirements.txt
python client.pyOption C: Custom Configuration
# Download files scp root@myserver.duckdns.org:/etc/smtp-tunnel/ca.crt . # Create config.yaml: cat > config.yaml << EOF client: server_host: "myserver.duckdns.org" server_port: 587 socks_port: 1080 username: "alice" secret: "your-secret-from-admin" ca_cert: "ca.crt" EOF # Run client python client.py -c config.yaml
π Usage
π Configure Your Applications
Set SOCKS5 proxy to: 127.0.0.1:1080
π¦ Firefox
- Settings β Network Settings β Settings
- Manual proxy configuration
- SOCKS Host:
127.0.0.1, Port:1080 - Select SOCKS v5
- β Check "Proxy DNS when using SOCKS v5"
π Chrome
- Install "Proxy SwitchyOmega" extension
- Create profile with SOCKS5:
127.0.0.1:1080
πͺ Windows (System-wide)
Settings β Network & Internet β Proxy β Manual setup β socks=127.0.0.1:1080
π macOS (System-wide)
System Preferences β Network β Advanced β Proxies β SOCKS Proxy β 127.0.0.1:1080
π§ Linux (System-wide)
export ALL_PROXY=socks5://127.0.0.1:1080π» Command Line
# curl curl -x socks5h://127.0.0.1:1080 https://ifconfig.me # git git config --global http.proxy socks5://127.0.0.1:1080 # Environment variable export ALL_PROXY=socks5://127.0.0.1:1080
β Test Connection
# Should show your VPS IP
curl -x socks5://127.0.0.1:1080 https://ifconfig.meβοΈ Configuration Reference
π₯οΈ Server Options (config.yaml)
| Option | Description | Default |
|---|---|---|
host |
Listen interface | 0.0.0.0 |
port |
Listen port | 587 |
hostname |
SMTP hostname (must match certificate) | mail.example.com |
cert_file |
TLS certificate path | server.crt |
key_file |
TLS private key path | server.key |
users_file |
Path to users configuration | users.yaml |
log_users |
Global logging setting | true |
π₯ User Options (users.yaml)
Each user can have individual settings:
users: alice: secret: "auto-generated-secret" # whitelist: # Optional: restrict to specific IPs # - "192.168.1.100" # - "10.0.0.0/8" # CIDR notation supported # logging: true # Optional: disable to stop logging this user bob: secret: "another-secret" whitelist: - "203.0.113.50" # Bob can only connect from this IP logging: false # Don't log Bob's activity
| Option | Description | Default |
|---|---|---|
secret |
User's authentication secret | Required |
whitelist |
Allowed IPs for this user (CIDR supported) | All IPs |
logging |
Enable activity logging for this user | true |
π» Client Options
| Option | Description | Default |
|---|---|---|
server_host |
Server domain name | Required |
server_port |
Server port | 587 |
socks_port |
Local SOCKS5 port | 1080 |
socks_host |
Local SOCKS5 interface | 127.0.0.1 |
username |
Your username | Required |
secret |
Your authentication secret | Required |
ca_cert |
CA certificate for verification | Recommended |
π Service Management
# Check status sudo systemctl status smtp-tunnel # Restart after config changes sudo systemctl restart smtp-tunnel # View logs sudo journalctl -u smtp-tunnel -n 100 # Uninstall sudo /opt/smtp-tunnel/uninstall.sh
π§ Command Line Options
π₯οΈ Server
python server.py [-c CONFIG] [-d] -c, --config Config file (default: config.yaml) -d, --debug Enable debug logging
π» Client
python client.py [-c CONFIG] [--server HOST] [--server-port PORT]
[-p SOCKS_PORT] [-u USERNAME] [-s SECRET] [--ca-cert FILE] [-d]
-c, --config Config file (default: config.yaml)
--server Override server domain
--server-port Override server port
-p, --socks-port Override local SOCKS port
-u, --username Your username
-s, --secret Override secret
--ca-cert CA certificate path
-d, --debug Enable debug loggingπ₯ User Management
smtp-tunnel-adduser <username> [-u USERS_FILE] [-c CONFIG] [--no-zip] Add a new user and generate client package smtp-tunnel-deluser <username> [-u USERS_FILE] [-f] Remove a user (use -f to skip confirmation) smtp-tunnel-listusers [-u USERS_FILE] [-v] List all users (use -v for detailed info) smtp-tunnel-update Update server to latest version (preserves config/certs/users)
π File Structure
smtp_proxy/
βββ π server.py # Server (runs on VPS)
βββ π client.py # Client (runs locally)
βββ π common.py # Shared utilities
βββ π generate_certs.py # Certificate generator
βββ π config.yaml # Server/client configuration
βββ π users.yaml # User database
βββ π requirements.txt # Python dependencies
βββ π install.sh # One-liner server installer
βββ π smtp-tunnel.service # Systemd unit file
βββ π§ smtp-tunnel-adduser # Add user script
βββ π§ smtp-tunnel-deluser # Remove user script
βββ π§ smtp-tunnel-listusers # List users script
βββ π§ smtp-tunnel-update # Update server script
βββ π README.md # This file
βββ π TECHNICAL.md # Technical documentation
π¦ Installation Paths (after install.sh)
/opt/smtp-tunnel/ # Application files
/etc/smtp-tunnel/ # Configuration files
βββ config.yaml
βββ users.yaml
βββ server.crt
βββ server.key
βββ ca.crt
/usr/local/bin/ # Management commands
βββ smtp-tunnel-adduser
βββ smtp-tunnel-deluser
βββ smtp-tunnel-listusers
βββ smtp-tunnel-update
π§ Troubleshooting
β "Connection refused"
- Check server is running:
systemctl status smtp-tunnelorps aux | grep server.py - Check port is open:
netstat -tlnp | grep 587 - Check firewall:
ufw status
β "Auth failed"
- Verify
usernameandsecretmatch in users.yaml - Check server time is accurate (within 5 minutes)
- Run
smtp-tunnel-listusers -vto verify user exists
β "IP not whitelisted"
- Check user's whitelist in users.yaml
- Your current IP must match a whitelist entry
- CIDR notation is supported (e.g.,
10.0.0.0/8)
β "Certificate verify failed"
- Ensure you're using a domain name, not IP address
- Verify
server_hostmatches the certificate hostname - Ensure you have the correct
ca.crtfrom the server
π Debug Mode
# Enable detailed logging python server.py -d python client.py -d # View systemd logs journalctl -u smtp-tunnel -f
π Security Notes
- β Always use a domain name for proper TLS verification
- β
Always use
ca_certto prevent man-in-the-middle attacks - β
Use
smtp-tunnel-adduserto generate strong secrets automatically - β Use per-user IP whitelists if you know client IPs
- β
Protect
users.yaml- contains all user secrets (chmod 600) - β
Disable logging for sensitive users with
logging: false
π For detailed security analysis and threat model, see TECHNICAL.md.
π License
This project is provided for educational and authorized use only. Use responsibly and in accordance with applicable laws.
β οΈ Disclaimer
This tool is designed for legitimate privacy and censorship circumvention purposes. Users are responsible for ensuring their use complies with applicable laws and regulations.
Made with β€οΈ for internet freedom