Hi community,
we've experienced again the problem that sending e-mails with attachements bigger than 1MB are blocked by WAF. We had this problem about two years ago and already set the limits via advanced shell. We did the same thing as described in this post Solution: Sophos Firewall WAF E-Mail Stuck because attachement size .
Here our settings to set a limit of 20MB for both "Exchange 2019..." rules:
psql -U nobody -d corporate -c "update tblwafsecurityprofile set sec_request_body_no_files_limit=20971520 where id=9 or id=10;"
opcode waf_reconfig -t json -b '{"Entity": "waf_advanced_config", "Event": "UPDATE"}' -ds nosync
psql -U nobody -d corporate -c "select name,id,sec_request_body_no_files_limit from tblwafsecurityprofile;"
name | id | sec_request_body_no_files_limit
-------------------------------------+----+---------------------------------
Microsoft Lync | 4 | 1048576
Microsoft RDG 2008 | 5 | 1048576
Microsoft RD Web 2008 | 6 | 1048576
Exchange Outlook Anywhere | 3 | 1048576
Protection Policy Mitarbeiterportal | 7 | 1048576
Exchange AutoDiscover | 1 | 1048576
Protection Policy PRTG | 8 | 1048576
Exchange 2019 Webservices | 9 | 20971520
Exchange 2019 Autodiscover | 10 | 20971520
Exchange General | 2 | 1048576
(10 rows)
But the WAF is still blocking incoming Mails from mobile Phones, we used an iPhone for testing and a mail with an 9MB *.mov file as attachement. We analyzed the log files with Sophos Support and saw this output:
ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/usr/apache/conf/waf/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"]
and
response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Apple-iPhone14C2/2004.67" response_time="13366484" bytes_sent="4669" bytes_received="13125842"
Sophos Support told us:
"Please try to bypass this filter by following this KBA and check after that: https://support.sophos.com/support/s/article/KB-000035562?language=en_US."
If we skip rule 921110 the mail is sent. But this can't be the solution just to skip security checks when the real problem is that the WAF is interpreting this traffic totally wrong and this makes us vulnerable to attacks.
Didn't have this issue with 19.0 Build. If we skip security checks on every error we could basically just turn off the firewall.
Is anybody else facing this problem or having a solution?
Will share new informations from Sophos support in this thread.
Thank you
This thread was automatically locked due to age.
