SMTP Tunnel Proxy – Fast SMTP‑Based SOCKS5 to Evade DPI
Breach network restrictions with the SMTP Tunnel Proxy, a lightweight Python tool that turns your TCP traffic into legitimate SMTP conversations. This guide walks you through a one‑liner server install, client setup, and configuration best‑practices for secure, high‑speed tunneling. Learn how to authenticate users, enforce IP whitelisting, and troubleshoot common pitfalls while keeping logs under control.
Introduction
In an age where Deep Packet Inspection (DPI) can block web traffic, researchers and privacy advocates need solutions that blend invisibility with performance. The SMTP Tunnel Proxy fills that niche by converting any TCP stream into an SMTP conversation, letting data slip through SMTP‑approved ports (usually 25, 587, or 465). Built in pure Python, it’s quick to deploy and requires no kernel changes.
Problem Statement
- Many corporate and national firewalls filter traffic on port 80/443, blocking HTTPS.
- Traditional VPNs and SSH tunnels are discovered or throttled by DPI.
- Censorship circumvention requires tools that appear innocuous.
Solution: Use the standard SMTP protocol as a cover, leveraging TLS for encryption and standard mail relay ports that firewalls rarely scrutinize.
Architecture Overview
Browser → SOCKS5 Client → SMTP Tunnel Server → Internet
TCP traffic disguised as SMTP over TLS normal outbound
Key components:
- Server – Listens on TCP 587, performs a STARTTLS handshake, then switches to a custom binary protocol.
- Client – A local SOCKS5 proxy (port 1080 by default) that forwards traffic through the server.
- User Layer – Each username gets a unique pre‑shared key, optional IP whitelist, and per‑user logging.
Core Features
| Feature | Description |
|---|---|
| TLS 1.2+ | All data encrypted after STARTTLS |
| DPI Evasion | Handshake mimics real Postfix servers |
| High‑Speed | Binary streaming with minimal overhead |
| Multi‑User | Separate secrets, IP restrictions, logging |
| Automatic Reconnect | Client reconnects on drop |
| One‑liner Install | `curl … |
| Systemd Service | Runs in background and restarts on reboot |
Quick Start Guide
1. Server Setup (Linux VPS)
# 1. Pick a domain pointing at your VPS (DuckDNS, No‑IP, etc.)
# 2. Run the one‑liner installer
curl -sSL https://raw.githubusercontent.com/x011/smtp-tunnel-proxy/main/install.sh | sudo bash
The installer:
- Downloads all required files.
- Asks for your domain name.
- Generates TLS certificates.
- Creates the first user.
- Configures firewall and starts a systemd service.
2. Add Additional Users
sudo smtp-tunnel-adduser alice # creates a ZIP with client config
sudo smtp-tunnel-adduser bob
The ZIP contains client.py, start.sh/.bat, and config.yaml with the user’s secret.
3. Client Setup (Windows/Linux/macOS)
Option A – Easy (recommended)
- Extract the
alice.zipfile. - Run
start.bat(Windows) or./start.sh(Linux/macOS).
Option B – Manual
cd alice
pip install -r requirements.txt
python client.py
The client automatically starts a SOCKS5 listener at 127.0.0.1:1080.
4. Point Your Applications to the SOCKS Proxy
- Browser →
http://127.0.0.1:1080(Firefox, Chrome). - System‑wide → Environment variable
ALL_PROXY=socks5://127.0.0.1:1080. - Test with
curl -x socks5://127.0.0.1:1080 https://ifconfig.me.
Advanced Configuration
- IP Whitelisting – Edit
users.yamland add CIDR blocks under each user. - Logging – Toggle
logging: true/falseper user. - Custom Ports – Change
socks_portorserver_portinconfig.yaml. - Upgrade –
smtp-tunnel-updatesyncs the latest code while preserving config.
Security Recommendations
- Use a domain – TLS certs require a hostname; IP addresses trigger verification errors.
- Keep
ca.crt– Distribute the CA file to clients to avoid MITM. - Restrict IPs – Whitelist known client IPs if feasible.
- Protect
users.yaml– Set file permissions to600. - Disable logging for sensitive users – Prevent log‑leaking.
Troubleshooting FAQ
| Symptom | Likely Cause | Fix |
|---|---|---|
| Connection refused | Server not running | sudo systemctl status smtp-tunnel or `ps aux |
| Auth failed | Secret mismatch | Verify users.yaml; re‑generate user with smtp-tunnel-adduser |
| IP not whitelisted | Current IP not in list | Update users.yaml or remove the whitelist key |
| Certificate verify failed | Using IP, mismatched domain | Ensure server_host matches cert; copy ca.crt |
Conclusion
The SMTP Tunnel Proxy demonstrates that you can build a reliable, high‑speed tunnel that masquerades as legitimate SMTP traffic. Its pure‑Python implementation, straightforward one‑liner Installer, and robust feature set make it an excellent choice for developers, sysadmins, and privacy advocates looking to bypass restrictive networks without complex VPN configuration.
Feel free to fork the repository, contribute enhancements, or adapt it for your own censorship‑circumvention needs. Happy tunneling!