AI Hub Icon
AIBit Discover Open Source Projects
Home / Practical Open Source Projects

SMTP Tunnel Proxy – Fast SMTP‑Based SOCKS5 to Evade DPI

January 25, 2026
Category: Practical Open Source Projects
Tags:
Open Source Python SMTP Tunnel DPI Bypass SOCKS5 Proxy

Introduction

In an age where Deep Packet Inspection (DPI) can block web traffic, researchers and privacy advocates need solutions that blend invisibility with performance. The SMTP Tunnel Proxy fills that niche by converting any TCP stream into an SMTP conversation, letting data slip through SMTP‑approved ports (usually 25, 587, or 465). Built in pure Python, it’s quick to deploy and requires no kernel changes.

Problem Statement

  • Many corporate and national firewalls filter traffic on port 80/443, blocking HTTPS.
  • Traditional VPNs and SSH tunnels are discovered or throttled by DPI.
  • Censorship circumvention requires tools that appear innocuous.

Solution: Use the standard SMTP protocol as a cover, leveraging TLS for encryption and standard mail relay ports that firewalls rarely scrutinize.

Architecture Overview

Browser   →   SOCKS5 Client   →   SMTP Tunnel Server   →   Internet
     TCP traffic   disguised as SMTP   over TLS   normal outbound

Key components: * Server – Listens on TCP 587, performs a STARTTLS handshake, then switches to a custom binary protocol. * Client – A local SOCKS5 proxy (port 1080 by default) that forwards traffic through the server. * User Layer – Each username gets a unique pre‑shared key, optional IP whitelist, and per‑user logging.

Core Features

Feature Description
TLS 1.2+ All data encrypted after STARTTLS
DPI Evasion Handshake mimics real Postfix servers
High‑Speed Binary streaming with minimal overhead
Multi‑User Separate secrets, IP restrictions, logging
Automatic Reconnect Client reconnects on drop
One‑liner Install curl … | sudo bash
Systemd Service Runs in background and restarts on reboot

Quick Start Guide

1. Server Setup (Linux VPS)

# 1. Pick a domain pointing at your VPS (DuckDNS, No‑IP, etc.)
# 2. Run the one‑liner installer
curl -sSL https://raw.githubusercontent.com/x011/smtp-tunnel-proxy/main/install.sh | sudo bash
The installer: * Downloads all required files. * Asks for your domain name. * Generates TLS certificates. * Creates the first user. * Configures firewall and starts a systemd service.

2. Add Additional Users

sudo smtp-tunnel-adduser alice   # creates a ZIP with client config
sudo smtp-tunnel-adduser bob
The ZIP contains client.py, start.sh/.bat, and config.yaml with the user’s secret.

3. Client Setup (Windows/Linux/macOS)

Option A – Easy (recommended) 1. Extract the alice.zip file. 2. Run start.bat (Windows) or ./start.sh (Linux/macOS).

Option B – Manual 

cd alice
pip install -r requirements.txt
python client.py
The client automatically starts a SOCKS5 listener at 127.0.0.1:1080.

4. Point Your Applications to the SOCKS Proxy

  • Browser → http://127.0.0.1:1080 (Firefox, Chrome).
  • System‑wide → Environment variable ALL_PROXY=socks5://127.0.0.1:1080.
  • Test with curl -x socks5://127.0.0.1:1080 https://ifconfig.me.

Advanced Configuration

  • IP Whitelisting – Edit users.yaml and add CIDR blocks under each user.
  • Logging – Toggle logging: true/false per user.
  • Custom Ports – Change socks_port or server_port in config.yaml.
  • Upgradesmtp-tunnel-update syncs the latest code while preserving config.

Security Recommendations

  1. Use a domain – TLS certs require a hostname; IP addresses trigger verification errors.
  2. Keep ca.crt – Distribute the CA file to clients to avoid MITM.
  3. Restrict IPs – Whitelist known client IPs if feasible.
  4. Protect users.yaml – Set file permissions to 600.
  5. Disable logging for sensitive users – Prevent log‑leaking.

Troubleshooting FAQ

Symptom Likely Cause Fix
Connection refused Server not running sudo systemctl status smtp-tunnel or ps aux | grep server.py
Auth failed Secret mismatch Verify users.yaml; re‑generate user with smtp-tunnel-adduser
IP not whitelisted Current IP not in list Update users.yaml or remove the whitelist key
Certificate verify failed Using IP, mismatched domain Ensure server_host matches cert; copy ca.crt

Conclusion

The SMTP Tunnel Proxy demonstrates that you can build a reliable, high‑speed tunnel that masquerades as legitimate SMTP traffic. Its pure‑Python implementation, straightforward one‑liner Installer, and robust feature set make it an excellent choice for developers, sysadmins, and privacy advocates looking to bypass restrictive networks without complex VPN configuration.

Feel free to fork the repository, contribute enhancements, or adapt it for your own censorship‑circumvention needs. Happy tunneling!

Original Article: View Original

Share this article