Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 61 replies
  • Answers 2 answers
  • Subscribers 32 subscribers
  • Views 59098 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

There is a bug in the email imap proxy

rfcat_vk

Every so often I get time out errors on both ISP email accounts using IMAPS. At the same time outlook throws certificate errors. If I wait awhile, the error self heals. No it is not a network connection, speed tests show 50/20mbs. I would not mind so much if I was fiddling at the time, but I was elsewhere annoying weeds.

Why am I so sure it is the XG mail proxy, because I have another rule which does not use the mail proxy for the iPhones and iPads and they do not have an issue connecting and collecting messages.

Ian



This thread was automatically locked due to age.
Parents
  • 0

    Did you already checked the warren.log in this timeframe?

    Also possible is to keep warren in Debug and check it afterwards. 

  • 0 in reply to LuCar Toni

    Hi MBP,

    a restore fixed the problem for the moment. Next time I will review the warren.log when I am not under pressure to get it fixed because the tickets for the nights concert are stuck.

    Ian

  • 0 in reply to shred

    Will check this tomorrow in the Bug Database. 

     

    Seems like some kind of issue with the certificate store.

     

    You find always some relation to the certificate. 

    DEBUG Sep 26 08:32:24 [4124048192]: certificate for CN('imap.gmail.com') found in cache
    INFO Sep 26 08:32:24 [4124048192]: SSL_accept() failed: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

    You guys imported the correct CA in your mail clients, correct? 

  • 0 in reply to LuCar Toni

    Hi MBP,

    yes I did to both MBPs and the issue is that you can be working fine for days, then suddenly your certificate is lost trust and the iMAP connection times out. Mine has again this morning.

    Ian

  • 0 in reply to rfcat_vk

    Hey Shred,

    are you using Mojave or High Sierra? I just found two new untrusted certificates in my Mojave which I have updated the trust and that seems to have cleared my mail issue of rat moment. The error cleared as soon as I trusted both certificates.

    Ian

     

    Too soon, came back at the next automatic check for mail.

  • 0 in reply to LuCar Toni

    I imported the Sophos SSL certificate into MacOS Keychain Access under the "Systems" Keychain. I have no issues browsing websites using Safari (HTTPS decryption & scanning and enabled) and the majority of the time, I don't have issues with my email either (using the official Mail application that comes with MacOS). This mail issue with IMAP just randomly occurs and sometimes it will start working after a few minutes and other times I have to wait a while (hour+) before it starts working again. I'm now using MacOS Mojave on my iMac and MacOS High Sierra on my MacBook Air. This issue also occurs on my iOS devices.

  • 0 in reply to shred

    Basically the same here, except the iOS devices do not use https scanning. The issue comes and goes and I suspect it is the same issue as identified by another thread about the dns cache failing. Very frustrating. Mine has become worse since upgrading the mr3. 

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    i cannot find any hint on a bug id to this issue. 

    Both of you are using XG home? 

    So we could try some kind of debugging without any problem? 

    Would like to see, what the proxy is doing if this happens in a dump. 

    Also can you tell me, which kind of appliances you use? Hardware / Software? 

  • 0 in reply to LuCar Toni

    Just sent you a message with a few hundred lines from my warren.log with everything functioning correctly.

    I am using Sophos XG Home. I was on 17.1.2 MR-2 and I just upgraded to 17.1.3 MR-3.

    I'm running Sophos XG on a Qotom Q335G4 (bare metal install).

  • 0 in reply to shred

    Hi MBP,

    I am using a server motherboard with 4 intel NICs, 8gb ram and e3-1225 v5 with an ssd. I can swap it out for a J1900 motherboard.

    Both mine and my wife's mail are broken at the moment, 2 different mail clients.

    Ian

  • 0 in reply to rfcat_vk

    Please perform a dump.

     

    Go to the Advanced Shell.

    tcpdump -ni WAN_interface host IP_OF_MAILserver -s0 -b -w /tmp/mail.pcap

    And try it again. 

    Then stop the dump with STRG + C.

    And download the dump. (use PSCP : https://community.sophos.com/kb/en-us/127647

    I assume, XG tries to build up a connection to the mail server and the TLS Handshake does not work. 

    Basically this should be visible in the wireshark. 

    Can you send me screenshots? Maybe via PM. 

  • 0 in reply to LuCar Toni

    Hi MBP,

    do I need to put the address of the WAN interface in the command, otherwise I get syntax error?

    Ian

Reply Children