hello great firewall

joeyh at

I'm in the public library, in the USA, and outgoing SMTP connections are MITM'd, and STARTTLS is filtered out.


joey@darkstar:~>telnet smtp
Connected to
Escape character is '^]'.
220 ESMTP Postfix (Debian/GNU)
500 Syntax error, command unrecognized

Compare with the same command run from elsewhere.

Amazing. I don't know where to start. Well, other than configuring my laptop's MTA to force use of TLS so this downgrade attack doesn't work, and bringing up my ipv6 tunnel or tor to bypasses this.

Jakukyo Friel, Douglas Perkins, Yutaka Niibe, Stephen Michael Kellat and 4 others likes this.

Douglas Perkins, Douglas Perkins, Douglas Perkins, Douglas Perkins and 7 others shared this.

Show all 15 replies

This kind of problem is one of the reason we ( and the FFDN federation, are building alternative and associative Internet Service Providers. We propose to the users to assemble in small ISP they control by their votes as members and not paying as clients.

Our first project in Neutrinet is to gives users a box alike the Freedombox with a VPN connection, so it cleans up a dirty and spyied over internet connection by a commercial ISP...

[edit] we have tested this method against the Great Firewall of China with success ;)

olm-e at 2015-03-03T13:48:57Z

Claes Wallin (韋嘉誠) likes this.

this is not a case of some web wall requiring you to go to some webpage and "login " before you can truly hit the outside Internet?

David "Judah's Shadow" Blue at 2015-03-03T20:22:17Z ssh tunnel to port 25 if you have ssh access to the server.. Bit of a PITA having to bring up the tunnel all the time. But it is what I do on my mobile devices.

Freemor at 2015-06-04T14:02:39Z

I've found $employer doing similar things, but rather than than not allowing TLS they MITM it. Fortunately it's easy to detect since my computer doesn't trust the in-house CA.

Jason Self at 2015-06-04T17:19:52Z

Claes Wallin (韋嘉誠) likes this.