IMAP connections getting blocked by IPS due to dovecot/Pigeon Hole Exploit

Hi GregBuff,

I am seeing the same "attack" but only on my wife's MBP outlook account. The IPS shows the victim as being the client server?.

• messageid="07001"
• log_type="IDP"
• log_component="Signatures"
• log_subtype="Detect"
• ips_policy=""
• ips_policy_id="11"
• fw_rule_id="12"
• user="magdalenas-mbp"
• sig_id="1190508052"
• message="SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference"

• classification="Misc Attack"
• rule_priority="1"
• src_ip="1.159.35.204"
• src_country="AUS"
• dst_ip="203.0.178.192"
• dst_country="AUS"
• protocol="TCP"
• src_port="40420"
• dst_port="587"
• OS="Windows"

• category="server-mail"
• victim="Client"

Ian

Hi Ian

That is interesting, glad someone else has similar entries.

Does your traffic get blocked? These clients end up using mobile data for their phones but eventually the other devices are let through, but it can be days later.

Cheers

Greg

Hi Greg,

here is my version taken a couple of minutes ago.

The interesting thing about this is the iPad which uses the same firewall rule as the MBPs did not have an issue. I eventually was able to ge try wife's outlook working after having to force quit and then restarted without any further errors. 

I have not seen any entries in the IPS log since the 4th May. My IPS count is still growing and I have no idea why?

Ian

Hi Greg,

after the IPS update the strange port translations stopped, not just  on mail but other non Apple devices.

Still no AV updates.

Ian

I am in the middle of a network overhaul.  I'm moving from my Sophos UTM and some crappy access points to using a new XG and three APX120.  IMAP mail is not working to my personal ISP mail server.  I'm getting the dovecot attack errors.

The irony is that I am having to use my web browser to read Sophos support emails regarding an issue on one of my APX120 devices.  I cannot use a mail client to read the the replies.

At this point I'm about to do an exception for it to work my one machine unless I found a solution.

Please let me know how you go.

I've got an exemption but I feel like it should be fixed rather than ignored.

Hi,

found the issue returned on the 19th of May after a long break from the 4th of May. The issue only occurs agains one ISP mail server on my wife's MBP running outlook. The issue does not occur when running macmail.

Ian

Hi folks,

some further thoughts, my XG is currently running v18.0.0 354 with hotfix and the issue with IPS issue appears to have started the day I rolled back from v18.0.1 with hotfixes.

Ian

Yes, I have this issue with my personal ISP.  I use it to host my personal email addresses to avoid all the issues that come with the convenience and price of the "free" email services.

I'm thinking the exception is the only way this will work at this point.

I found the solution.  I kinda stumbled on it after an hour.

I was playing with this, using multiple accounts and using two mail clients (thunderbird & the built-in mail client for Win10).  Eventually I hit a certificate error when using the Win10 client.  I clicked the dreaded "continue" button which we tell our users to NEVER do and it worked.

So, then I simply downloaded the XG Appliance Cert and imported into Thunderbird.  I think this fixed my problem but we'll see.

Mail is working but I will let you know if the alerts stop.

Hi, 

well done.

The reason my issue re-occured is that I don't have mail scanning working at the moment. I am waiting for MR-1 update so I can restore the mail scanning setup.

Ian

I removed my "suggest as answer".  My problem is back the next day.  Sigh.

(I turned on my FW rule for bypassing this and my mail flowed just fine.)

I removed my "suggest as answer".  My problem is back the next day.  Sigh.

(I turned on my FW rule for bypassing this and my mail flowed just fine.)

Has anyone created a support ticket for this?

I haven't as it got put in the back burner after putting the exception rule in. I do remember having intermittent flow, though it was usually not working unless connected via other means, not via Sophos!