IMAP connections getting blocked by IPS due to dovecot/Pigeon Hole Exploit

Hi GregBuff,

I am seeing the same "attack" but only on my wife's MBP outlook account. The IPS shows the victim as being the client server?.

• messageid="07001"
• log_type="IDP"
• log_component="Signatures"
• log_subtype="Detect"
• ips_policy=""
• ips_policy_id="11"
• fw_rule_id="12"
• user="magdalenas-mbp"
• sig_id="1190508052"
• message="SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference"

• classification="Misc Attack"
• rule_priority="1"
• src_ip="1.159.35.204"
• src_country="AUS"
• dst_ip="203.0.178.192"
• dst_country="AUS"
• protocol="TCP"
• src_port="40420"
• dst_port="587"
• OS="Windows"

• category="server-mail"
• victim="Client"

Ian

Hi Ian

That is interesting, glad someone else has similar entries.

Does your traffic get blocked? These clients end up using mobile data for their phones but eventually the other devices are let through, but it can be days later.

Cheers

Greg

Hi Greg,

I haven't seen any log entries since the 4th May my time. 

Something has gone wrong with the XG auto-updates of patterns. I had to force a manual update (0800 appprox) and only received a new IPS (dated 0345), the anti-virus have not updated since yesterday afternoon.

At the moment my MBP is having a very hard time with mail connections and showing strange ports, though the iPad and iPhone appear to be working okay.

My wife's outlook account is stuck on sync pending, but nothin in the XG logs.

I am also seeing a very high IPS count in the GUI, abut again nothing in the logs.

My mail is now working okay, not sure what is going on?

Ian

Hi Ian

My patterns are up to date and just did a manual check and no change.

Where do you get those versions? They seem very different to mine.

Do your iPad/iPhone switch to mobile data if unable to connect via wifi?

When I log into Central the are hundreds of imap attacks, all against the mail server. Numbers vary between devices, obviously some are used more than others and must therefore retry more often.

My current work around is a firewall rule above my normal LAN>WAN rule that allows any zone, any net to any zone, any net, with only email services (manually configured entry with the usual ports) and IPS is not selected, or any other feature for that matter.

I picked this up (and whitelisted/bypassed) pretty early at one site but hadnt had any complaints at the second site - slow and late must have been good enough! It was only when I was extending the wifi with some APX120s that it was mentioned amongst the connectivity issues.

Hi Greg,

here is my version taken a couple of minutes ago.

The interesting thing about this is the iPad which uses the same firewall rule as the MBPs did not have an issue. I eventually was able to ge try wife's outlook working after having to force quit and then restarted without any further errors. 

I have not seen any entries in the IPS log since the 4th May. My IPS count is still growing and I have no idea why?

Ian

Hi Greg,

after the IPS update the strange port translations stopped, not just  on mail but other non Apple devices.

Still no AV updates.

Ian

I am in the middle of a network overhaul.  I'm moving from my Sophos UTM and some crappy access points to using a new XG and three APX120.  IMAP mail is not working to my personal ISP mail server.  I'm getting the dovecot attack errors.

The irony is that I am having to use my web browser to read Sophos support emails regarding an issue on one of my APX120 devices.  I cannot use a mail client to read the the replies.

At this point I'm about to do an exception for it to work my one machine unless I found a solution.

Please let me know how you go.

I've got an exemption but I feel like it should be fixed rather than ignored.

Hi,

found the issue returned on the 19th of May after a long break from the 4th of May. The issue only occurs agains one ISP mail server on my wife's MBP running outlook. The issue does not occur when running macmail.

Ian

Hi,

found the issue returned on the 19th of May after a long break from the 4th of May. The issue only occurs agains one ISP mail server on my wife's MBP running outlook. The issue does not occur when running macmail.

Ian

Hi folks,

some further thoughts, my XG is currently running v18.0.0 354 with hotfix and the issue with IPS issue appears to have started the day I rolled back from v18.0.1 with hotfixes.

Ian

Yes, I have this issue with my personal ISP.  I use it to host my personal email addresses to avoid all the issues that come with the convenience and price of the "free" email services.

I'm thinking the exception is the only way this will work at this point.

I found the solution.  I kinda stumbled on it after an hour.

I was playing with this, using multiple accounts and using two mail clients (thunderbird & the built-in mail client for Win10).  Eventually I hit a certificate error when using the Win10 client.  I clicked the dreaded "continue" button which we tell our users to NEVER do and it worked.

So, then I simply downloaded the XG Appliance Cert and imported into Thunderbird.  I think this fixed my problem but we'll see.

Mail is working but I will let you know if the alerts stop.

Hi, 

well done.

The reason my issue re-occured is that I don't have mail scanning working at the moment. I am waiting for MR-1 update so I can restore the mail scanning setup.

Ian

I removed my "suggest as answer".  My problem is back the next day.  Sigh.

(I turned on my FW rule for bypassing this and my mail flowed just fine.)

Has anyone created a support ticket for this?

I haven't as it got put in the back burner after putting the exception rule in. I do remember having intermittent flow, though it was usually not working unless connected via other means, not via Sophos!