This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IMAP connections getting blocked by IPS due to dovecot/Pigeon Hole Exploit

I've got 2 sites that users are complaining of intermittent (at best) connection/retrieval of emails. Checking the logs it is full of IPS blocks due to dovecot/pigeon hole remote code exploits.

The firewall log also has numerous entries of blocks of invalid traffic unable to match packet to connection and invalid TCP RST

Signatures

Detect

LAN user

External mail server

2300999

PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability

protocol-imap

Invalid Traffic

Denied

Port8

[LAN user]

[External mail server]

43182

143

TCP

01001

Open PCAP

Invalid TCP RST.

Invalid Traffic

Denied

Port8

[LAN User]

[External mail server]

43078

143

TCP

01001

Open PCAP

Could not associate packet to any connection.

It seems to come down to the default(?) IPS Policy lantowan_general and its single entry Migrate_def_filter_3 which has(amongst others).

PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability

2300999

protocol-imap

1 - Critical

Windows, Linux

Server

Drop packet

Interestingly in the IPS log it looks like the server is the victim rather than the clients. The clients range from windows 10, mac os, ipads, iphones.

log_type="IDP"
log_component="Signatures"
log_subtype="Detect"
ips_policy=""
ips_policy_id="0"
fw_rule_id="0"
user=""
sig_id="2300999"
message="PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability"
classification="Unknown"
rule_priority="1"
src_ip="[LAN client]"
src_country="R1"
dst_ip="[Ext mail server]"
dst_country="USA"
protocol="TCP"
src_port="45780"
dst_port="143"
OS="Linux,Windows"
category="protocol-imap"
victim="Server"

This thread was automatically locked due to age.

0 JerryPlagge over 5 years ago in reply to rfcat_vk

Yes, I have this issue with my personal ISP. I use it to host my personal email addresses to avoid all the issues that come with the convenience and price of the "free" email services.

I'm thinking the exception is the only way this will work at this point.
Cancel
Vote Up 0 Vote Down

Cancel
0 JerryPlagge over 5 years ago in reply to JerryPlagge

I found the solution. I kinda stumbled on it after an hour.

I was playing with this, using multiple accounts and using two mail clients (thunderbird & the built-in mail client for Win10). Eventually I hit a certificate error when using the Win10 client. I clicked the dreaded "continue" button which we tell our users to NEVER do and it worked.

So, then I simply downloaded the XG Appliance Cert and imported into Thunderbird. I think this fixed my problem but we'll see.

Mail is working but I will let you know if the alerts stop.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to JerryPlagge

Hi,

well done.

The reason my issue re-occured is that I don't have mail scanning working at the moment. I am waiting for MR-1 update so I can restore the mail scanning setup.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 JerryPlagge over 5 years ago in reply to rfcat_vk

I removed my "suggest as answer". My problem is back the next day. Sigh.

(I turned on my FW rule for bypassing this and my mail flowed just fine.)
Cancel
Vote Up 0 Vote Down

Cancel
0 JerryPlagge over 5 years ago in reply to JerryPlagge

Has anyone created a support ticket for this?
Cancel
Vote Up 0 Vote Down

Cancel
0 GregBuff over 5 years ago in reply to JerryPlagge

I haven't as it got put in the back burner after putting the exception rule in. I do remember having intermittent flow, though it was usually not working unless connected via other means, not via Sophos!
Cancel
Vote Up 0 Vote Down

Cancel