POP3,SMTP protocols should not use proxy
Open, Needs TriagePublic


I'm experiencing and have been investigating the bugs

https://bugs.kde.org/show_bug.cgi?id=379539 = SMTP fails with "the proxy type is invalid for this operation"
https://bugs.kde.org/show_bug.cgi?id=373870 = Kmail tries to use a proxy server to retrieve email

and suspect that they have the same root cause. My setup has the KDE proxy settings to use environment variables, and http_proxy and ssl_proxy set to use a Privoxy proxy. The environment variable setup is used because anything based on QtWebEngine can only use a proxy specified that way - it cannot use the KDE settings.

This works fine for web browsing, but from the Privoxy logs and network traffic it appears that POP3 fetching and SMTP sending is also trying to go through the proxy. This works with Privoxy, it just passes the traffic through, but it may not work with other proxies or caches.

The obvious solution of setting no_proxy to cover the POP3/SMTP hosts doesn't work, the network access does not resolve this correctly and fails with an error deep within QNativeSocketEngine. My suspicion is either a problem in Qt networking, or an anomaly because QT's parsing of no_proxy is different to KIO's (KIO seems to be more sophisticated).

Trying to fix this, deep within the bowels of either KIO or QtNetwork, has the potential to affect lots of networking code and is a risky solution. The other solution that I have found is to explicitly set a QNetworkProxy::NoProxy application proxy in the POP3 ioslave and the KSmtp session thread. This correctly bypasses the proxy regardless of the setting of no_proxy.

Some users may need to access these services via a proxy, so it should be a configurable option (off by default), a single check box added to the "Advanced" tab of these account setups (in the group box that has "Encryption", "Port" etc).

Unless anyone has ideas on a better solution, I'll tidy up the code that I have so far and start to submit reviews.

This may also need to be done for IMAP.

marten created this task.Nov 9 2017, 12:49 PM
marten added a project: KDE PIM.
knauss added a subscriber: knauss.Nov 9 2017, 4:35 PM

For me it is not clear what ways of configuration come here together. So far I understand you have env variables http_proxy and ssl_proxy those are created with starting the KDE session?
Than you have the env variable no_proxy that is not recocniced by POP/SMTP, but what settings they use?
And on the other hand we have KDE proxy settings?

All in all this sounds like too may differnent configuration working against each other. For me it sounds like at first KDE should use http_proxy and ssl_proxy, if they are the standard way to set proxy to applications, if you set a global proxy also POP/SMTP should use this proxy by default. A hardcoded exception is not a good idea.

But nevertheless I can understand, that it makes sense to have the possibility to override the proxy settings for specific programms/protocols.

Maybe it makes sense to first discuss how the bigger picture should be, before starting implementing: T7050

Just a sidenote: me personally is trying to make my mailserver available through tor, so i will be forced to use torproxy for SMTP and IMAP. So I will have a different testcase :)

marten added a comment.Nov 9 2017, 6:12 PM

Just to clarify, my setup is that http_proxy, ssl_proxy and no_proxy are set up by a login script (so that all desktop processes inherit them). Then in Konqueror's proxy configuration (which is also accessible through System Settings) it is set to use those environment variables ("Use system proxy configuration"). Everything on the desktop therefore uses the same proxy (this includes Konqueror, Chrome, Firefox, Akregator etc).

What happens is that if no_proxy is not set or does not match the POP3/SMTP host, mail access goes through the proxy but works correctly. If no_proxy does match this host, there is a socket error in QNativeSocketEngine (fourteen levels deep in the call stack) with the error message as described in bug 379539. Both KIO and Qt have done a lot of proxy resolution before this happens.

I'm guessing that, as in your case, if you want maximum possible privacy then you will want all of your network traffic to go through Tor, so having an option to use the same proxy settings as for web browsing will work for you. If you want to use a different proxy then that will complicate things, but maybe it would be possible to set the environment variables when starting Akonadi and any PIM programs - but you'd also have to set KDE_FORK_SLAVES so that the ioslaves used the same. Maybe also possible with port redirection?