Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: RookieCAF on November 16, 2004, 02:11:43 AM

Title: Secure Mail Server Issues
Post by: RookieCAF on November 16, 2004, 02:11:43 AM
Having a severe problem with Avast 4.5 and my secure smtp server. Looking for any hints people may have, I get some funky icon when I try to send email and some kind of connection times out and just messes everything up.

I can't send anything outside my domain..
Title: Re:Secure Mail Server Issues
Post by: Lisandro on November 16, 2004, 02:22:52 AM
I don't understand about secure servers so much...
I know that avast does not support SSL connections...  ::)
Title: Re:Secure Mail Server Issues
Post by: RookieCAF on November 17, 2004, 03:11:32 AM
Yup, I disabled Mail Protection, the setting finally stuck and I now have email. I wonder if they have any plans of supporting SSL Connections in the future.
Title: Re:Secure Mail Server Issues
Post by: DavidR on November 17, 2004, 12:40:14 PM
I think that this has been discussed before and Vlk commented on it, so a search for SSL in the forums may return more information.

Secure by its nature is designed to keep prying eyes out, so that would include anti-virus prying eyes to.

I believe it would be very difficult to support as avast isn't the recipient or initiating client, so is outside the Secure Socket Layer (these are just my thoughts, not fact, or Alwil's).
Title: Re:Secure Mail Server Issues
Post by: Vlk on November 17, 2004, 12:51:51 PM
So your mail server requires SSL and still uses the normal port numbers (25, 110)??

BTW what mail client are you using?

Thanks
Vlk
Title: Re:Secure Mail Server Issues
Post by: RookieCAF on November 18, 2004, 04:51:38 PM
995 incoming and 25 Outgoing. Using Thunderbird .9

Its no biggie, but it was just kinda frustrating that it was on by default without asking me about it, and the setting didn't appear to stick on a couple attempts.

Overall I love the product..
Title: Re:Secure Mail Server Issues
Post by: t_r_davies on November 18, 2004, 05:58:23 PM
Hi RookieCAF,

You could do what I do to access my mail securely: use stunnel (http://www.stunnel.org/ (http://www.stunnel.org/)) to provide the SSL connection and set up your mail client to connect to stunnel.

I have stunnel listening on ports 25 and 110 (SMTP and POP3) on localhost, and have Outlook Express configured to connect to localhost.  I've put "IgnoreLocalhost=0" into the avast4.ini [MailScanner] section so avast! scans connections made on 127.0.0.1.  Avast! transparently scans the localhost connection to stunnel, which then provides the SSL connection to the mailservers.  My stunnel.conf is as follows:

--Cut--
# We're running as a client to SSLify the GMX mail connection
client=yes

# POP3 service, listens on localhost:110
[gmx-pop3s]
accept=localhost:110
connect=pop.gmx.net:995

# SMTP service, listens on localhost:25
[gmx-smtps]
accept=localhost:25
connect=mail.gmx.net:465
--Cut--

It all works perfectly, although I did have to do a bit of fiddling around when avast! 4.5 was released.  If you want any help, don't hesitate to get in touch ;)

Vlk: searching the forum for stunnel yields a few posts (about 10), but how about putting up a sticky post to help people who want to secure their connections and still be able to use avast!?  I could even write the post for you if you want :)
Title: Re:Secure Mail Server Issues
Post by: bob3160 on November 19, 2004, 02:30:01 PM
Thanks t_r_davies
Welcome to the forum
This is also our answer for pop3 and gmail which also requires SSL.
I think a sticky thread for this is an excellent idea.
Stick around. We could use you in here. ;D
Title: Re:Secure Mail Server Issues
Post by: peterfu on November 19, 2004, 02:37:10 PM
may be it's also a good idea to put in in the FAQ - SSL becomes more and more usual
br
Peter
Title: Re:Secure Mail Server Issues
Post by: shatadal on November 23, 2004, 04:11:59 AM
Quote
I have stunnel listening on ports 25 and 110 (SMTP and POP3) on localhost, and have Outlook Express configured to connect to localhost.  I've put "IgnoreLocalhost=0" into the avast4.ini [MailScanner] section so avast! scans connections made on 127.0.0.1.  Avast! transparently scans the localhost connection to stunnel, which then provides the SSL connection to the mailservers.  My stunnel.conf is as follows:

--Cut--
# We're running as a client to SSLify the GMX mail connection
client=yes

# POP3 service, listens on localhost:110
[gmx-pop3s]
accept=localhost:110
connect=pop.gmx.net:995

# SMTP service, listens on localhost:25
[gmx-smtps]
accept=localhost:25
connect=mail.gmx.net:465
--Cut--

To do this do I have to pass all my mail connections through stunnel? What I mean is I have other non SSL accounts which use ports 25, 110 and 143. If I use the above settings would I still be able to access them?
Title: Re:Secure Mail Server Issues
Post by: t_r_davies on November 23, 2004, 03:04:23 PM
To do this do I have to pass all my mail connections through stunnel? What I mean is I have other non SSL accounts which use ports 25, 110 and 143. If I use the above settings would I still be able to access them?

No, you don't have to pass all your mail connections through stunnel.  If you configure stunnel as I did then you just have to reconfigure the account you want to secure to use "localhost" as the POP and SMTP servers.  Your can just leave your other non-SSL accounts' settings as they are and they will continue to operate as normal.  I configured stunnel to listen on the default POP and SMTP ports so I didn't have to change the port numbers in the Outlook Express account settings.

I've been too busy to ask one of the moderators yet about putting up a sticky post regarding SSL and stunnel, but I should have time to do it today.  If they agree, I'll do a detailed explanation of exactly how to configure everything.
Title: Re:Secure Mail Server Issues
Post by: shatadal on November 23, 2004, 09:10:15 PM
Thanks a lot for your suggestion t_r_davies. I have been able to get it to work though it doesn't work with the port numbers you gave in your example. stunnel doesn't want to start. Thanks again.
Title: Re:Secure Mail Server Issues
Post by: t_r_davies on November 23, 2004, 09:24:10 PM
Thanks a lot for your suggestion t_r_davies. I have been able to get it to work though it doesn't work with the port numbers you gave in your example. stunnel doesn't want to start. Thanks again.

Happy to help :)  I've actually just changed my setup to have stunnel listening on ports 11025 and 11110, to keep it similar to the port numbers the avast! mail scanner uses (12025, 12110 and 12143).  It makes it easier to remember!  I'm also using SpamBayes (listening on port 10110, which complicates matters slightly, but that's the gist of my configuration.

Does stunnel start if you change the port numbers (try 11025 and 11110 like I'm now using)?  Also, are you running it as a service (if you're on Win2K/XP) or as a normal process?
Title: Re:Secure Mail Server Issues
Post by: shatadal on November 24, 2004, 09:19:33 AM
I use other ports like 350, 1600 etc. Kind of non standard and illogical I guess, but I can always look up stunnel.conf.

As for starting it, I made a shortcut to stunnel and put it in ~\Start Menu\Programs\Startup so it starts up whenever I login to my user account. I run it as a user.

How do you run it as a service? What exactly is the difference between a service and a normal process?
Title: Re:Secure Mail Server Issues
Post by: t_r_davies on November 24, 2004, 01:39:35 PM
I use other ports like 350, 1600 etc. Kind of non standard and illogical I guess, but I can always look up stunnel.conf.

As for starting it, I made a shortcut to stunnel and put it in ~\Start Menu\Programs\Startup so it starts up whenever I login to my user account. I run it as a user.

How do you run it as a service? What exactly is the difference between a service and a normal process?

Provided you're running WinNT, 2K or XP, you can run stunnel as a service by running "stunnel -install" at a command prompt (you need to be Administrator to do this).  A service can be started at boot-time so it runs continuously while the machine is on (even when no-one is logged on), services can also be stopped, started and paused using the Service Manager.  Running stunnel from the Startup group is fine though, that way it will exit when you log off.
Title: Re:Secure Mail Server Issues
Post by: shatadal on November 25, 2004, 10:20:48 AM
Maybe this post is off-topic but since we have been discussing stunnel in this thread I have a question regarding its use.

So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.

If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.

Now when I disable the avast mail scanner and try to connect to my smtp server over port 25 via SSL I get a certificate in the client asking me to either reject it or accept it temporarily for the current session or accept permanently. Once I accept it I am able to send e-mails via SSL over port 25 of the smtp server. However I am not very keen on disabling the mail scanner.

It therefore seems that the time out error or the server's refusal to accept SMTP connections is because stunnel ignores the certificate.

Could t_r_davies or somebody else teach me how to accept certificates into stunnel?

I am using:
Thunderbird 0.9
Win XP
stunnel 4.05
Avast 4.5
Title: Re:Secure Mail Server Issues
Post by: gwheaton on November 26, 2004, 05:23:32 AM
t_r_davies,

Thanks for the info.  I have a gmail.com account and it requires SSL,  One problem I am having is when sending email.  (I can recieve gmail.com email and avast is scanning and inserting the clean tag with out a problem)

my stunnel.conf file is:

# We're running as a client to SSLify the gmail mail connection
client=yes

# POP3 service, listens on localhost:110
[gmail-pop3s]
accept=localhost:10110
connect=pop.gmail.com:995

# SMTP service, listens on localhost:25
[gmail-smtps]
accept=localhost:1025
connect=smtp.gmail.com:587

My avast4.ini:

[MailScanner]
IgnoreLocalhost=0
PopRedirectPort=110,1110,1120,10110
SmtpRedirectPort=25,215,225,1025
ShowTrayIcon=1


when I try to send, I get an error in Thunderbird that "connecting to SMTP server localhost failed"  

The stunnel log file shows:
2004.11.25 23:21:20 LOG3[1960:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Any ideas?

Thanks,

Gordon
Title: Re:Secure Mail Server Issues
Post by: pekka on November 26, 2004, 12:31:15 PM
Try:

# SMTP service, listens on localhost:25
[gmail-smtps]
accept=localhost:1025
connect=smtp.gmail.com:587
protocol=smtp
Title: Re:Secure Mail Server Issues
Post by: t_r_davies on November 26, 2004, 04:03:42 PM
So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.

If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.

Hi shatadal.

As far as I can see, stunnel can't help you in this situation.  It appears your mailserver is using STARTTLS to secure the connection, not normal SSL.  STARTTLS is an extended SMTP command issued by the client to start a secure TLS (the successor to SSLv3) channel using the existing connection.  By doing this, mail servers only need listen on one port (25) and be able to handle both secure and unsecure connections, instead of listening on port 25 for unsecure and port 465 for secure connections.  This is now the IETF-recommended (I think) method of securing connections, and the same technique can be used for HTTP connections (possibly POP3 and IMAP as well, I'm not entirely sure).  See RFC2487: http://www.ietf.org/rfc/rfc2487.txt (http://www.ietf.org/rfc/rfc2487.txt).

:)
Title: Re:Secure Mail Server Issues
Post by: gwheaton on November 26, 2004, 04:24:36 PM
Thanks, but get the same error that it can not connect to localhost:

Error from thunderbird:

"Sending of message failed.
An error occurred sending mail: Unable to connect to SMTP server localhost.  The server may be down or bay be incorrectly configured.  Please verify that your Mail/News account settings are correct and try again."

stunnel Log:

2004.11.26 10:25:30 LOG5[2412:3940]: stunnel 4.05 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7e 25 Oct 2004
2004.11.26 10:25:30 LOG5[2412:2380]: WIN32 platform: 30000 clients allowed
2004.11.26 10:25:43 LOG5[2412:320]: gmail-smtps connected from 127.0.0.1:2009
2004.11.26 10:25:43 LOG5[2412:320]: Negotiations for smtp (client side) started
2004.11.26 10:25:44 LOG5[2412:320]: Protocol negotiation succeded
2004.11.26 10:25:48 LOG5[2412:320]: Connection closed: 18 bytes sent to SSL, 116 bytes sent to socket

Any Ideas?

Gordon


Try:

# SMTP service, listens on localhost:25
[gmail-smtps]
accept=localhost:1025
connect=smtp.gmail.com:587
protocol=smtp

Title: Re:Secure Mail Server Issues
Post by: t_r_davies on November 26, 2004, 06:30:50 PM
Hi gwheaton,

Can't help you just now, sorry, I'm just going to catch the train for the weekend away, but I'll be back on Sunday afternoon sometime.  Should be able to help you out further then.  From a quick look at the symptoms, it looks like there's something going wrong during the SSL protocol negotiation.  I'll chew it over and see if I can come up with a solution for you for Sunday :)
Title: Re:Secure Mail Server Issues
Post by: gwheaton on November 27, 2004, 03:45:40 AM
Thanks   t_r_davies

If you have any ideas, that would be great.  For now I turned off using stunnel for SMTP and am just using it to get email from the pop3 server.  At least avast is scanning incoming email from gmail.com now and that is what I really wanted.  

If I can get SMTP working GREAT, if not, that's fine.

Thanks again,

Gordon
Title: Re:Secure Mail Server Issues
Post by: shatadal on November 28, 2004, 11:35:25 PM
So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.

If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.

Hi shatadal.

As far as I can see, stunnel can't help you in this situation.  It appears your mailserver is using STARTTLS to secure the connection, not normal SSL.  

I think you are right that stunnel has nothing to do with it. Instead I think avast has something to do with it. While avast and stunnel work perfectly for another SSL protected e-mail account, the account I am having problems with is a TLS protected account. When I terminate the Avast internet mail subsystem then stunnel works perfectly (well almost, there is some problem regarding copying the message to the sent items folder), forwarding the message to my server over TLS. But if the subsystem is running or paused my mail client just times out.

I am using avast 4.5.523. Supposedly 4.5.536 takes care of SSL connections but I am waiting for a stable release before installing it.
Title: Re:Secure Mail Server Issues
Post by: shatadal on November 30, 2004, 12:41:50 AM

<snip>

I am using avast 4.5.523. Supposedly 4.5.536 takes care of SSL connections but I am waiting for a stable release before installing it.

Well 4.5.542 doesn't take care of the problem.
Title: Re:Secure Mail Server Issues
Post by: Eddy on November 30, 2004, 02:51:22 AM
It is starting to sound that you haven't setup the mail correctly (no offense) please use the search option on this board. keyword=ssl

Let us know if you where able to solve it with the info you found or not.
Title: Re:Secure Mail Server Issues
Post by: shatadal on December 01, 2004, 02:08:39 AM
It is starting to sound that you haven't setup the mail correctly (no offense) please use the search option on this board. keyword=ssl

Let us know if you where able to solve it with the info you found or not.

No offense taken but I am sure it is a problem with Avast. When I switch off the mail scanner module my mail client can make the TLS connection perfectly.

Avast doesn't cause any problems with my other SSL enabled mails when I route them through stunnel but I think it cannot handle TLS connections gracefully.

t_r_davies said he was going to write more on this issue when he comes back so I am waiting for his advice.
Title: Re:Secure Mail Server Issues
Post by: RLGyde on December 03, 2004, 09:07:46 PM
No offense taken but I am sure it is a problem with Avast. When I switch off the mail scanner module my mail client can make the TLS connection perfectly.

I have the same problem as shatadal, actely I did also tray to turn off outbound vira scan. But that did not help. I have to turn off Internet mail scan.

Avast ends up with Connection timeout..

On server side "SSL_accept:error in SSLv2/v3 read client hello A" is the last log entrence before 'lockdown'

If I terminate Internet Mail scan while trying to send, next log msg is: warning: Read failed in network_biopair_interop with errno=104: num_read=-1, want_read=11

I hope this info can help you to fix the problems.
-tnx
Title: Re:Secure Mail Server Issues
Post by: Lisandro on December 04, 2004, 12:21:28 PM
I've posted before in this same thread...
I think avast cannot handle SSL connections  :'(
There isn't a support for secure connections.
Title: Re:Secure Mail Server Issues
Post by: Thom on December 04, 2004, 01:04:26 PM
Judging by the traffic regarding SSL and newer Avast versions (at least the free, home version), I'm not the only one having problems accessing my mail.  (XP home, SP2, Eudora, Avast 4.5 Home, comcast.net connection)

However, I think I may have found a solution at http://micro.uoregon.edu/security/email/eudora.html.  My inboud and outbound mail is working with comcast.net (finally!).

But, with all the conversation about disabling Avast's email protection, I don't know now if after applying the seemingly simple changes above I'm still protected?

Am I?
Title: Re:Secure Mail Server Issues
Post by: bob3160 on December 04, 2004, 01:18:32 PM
Thom
Just check your e-mail headers that will tell you.
Title: Re:Secure Mail Server Issues
Post by: Thom on December 04, 2004, 01:27:04 PM
I take it this qualifies as proof that it's working?

-----------cut and pasted header------------

X-Envelope-To: <software@someisp.org>
Return-path: <apache@rs03.avast.com>
Received: from rs03.avast.com (67.15.62.22) by someisp.org (Mercury/32 v3.32) with ESMTP ID MG000166;
   4 Dec 04 05:12:43 -0700
Received: from rs03.avast.com (localhost.localdomain [127.0.0.1])
        by rs03.avast.com (8.12.11/8.12.11) with ESMTP id iB4CIWnB012848
        for <software@someisp.org>; Sat, 4 Dec 2004 13:18:32 +0100
Received: (from apache@localhost)
        by rs03.avast.com (8.12.11/8.12.11/Submit) id iB4CIW14012846;
        Sat, 4 Dec 2004 13:18:32 +0100
Message-Id: <200412041218.iB4CIW14012846@rs03.avast.com>
To: software@someisp.org
Subject: Topic reply: Re:Secure Mail Server Issues
From: "ALWIL Software Forums" <webadmin@asw.cz>
Date: Sat, 04 Dec 2004 12:18:32 +0000
X-Antivirus: avast! (VPS 0449-1, 12/02/2004), Inbound message
X-Antivirus-Status: Clean

-------------end cut and pasted header ------------

So, this might be a viable solution to what seems to be keeping many people other than me up in the middle of the night?

Thanks.
Title: Re: Secure Mail Server Issues
Post by: yildi on January 13, 2005, 10:42:17 AM
I am a little confused here. It would be really nice to put in place a FAQ explaining how to configure MAILCLIENT+SPAMFILTER+AVAST+STUNNEL for getting and sending mail from a SSL server like GMAIL. GMAIL is invading the mail sphere and it would be a pity if Avast was not compatible with it :-(   

Such a configuration tunnelling through SSL, Anti-virus and Anti-spam is rather complex....

Thanks for your help!

Murat
Title: Re: Secure Mail Server Issues
Post by: Eddy on January 13, 2005, 10:50:54 AM
Have you any idea on how many spam filters there are? Explaining it in a faq would make the faq look like a very thick encyclopedia ;D

Avast does not support ssl.
Title: Re: Secure Mail Server Issues
Post by: yildi on January 13, 2005, 12:50:22 PM
Hi,

I am conscious that there are many mail clients and spam filters. this is why I do not precise anyone in particular. As far as I know, the general structure of the connections on this chain is quite generic and uses an articulation of different port numbers. What I am asking for is a generic structure of these server names (locahost, 127.0.0.1, distant mail host, etc.) and port numbers and not the specifi way in which this configuration is implemented in each particular client software... So I think that this should be possible with a little bit of abstraction about the specificities of each client... hoping that each user is able to implement the connection structure in his/her specific environement. Without the specificities of different clients, even the general connection structure is sufficiently complex to merit a FAQ item...Tell me if this is stupid....

Murat
Title: Re: Secure Mail Server Issues
Post by: yildi on January 13, 2005, 01:25:01 PM
If a general information seems difficult to put together, let me expose my particular case.

I am trying to configure ThunderBird - Spamhilator-Avast-Stunnel pour GMail.

I have deactivated SSL everywhere leaving Stunnel  to take care of this.

IN TB I have the following account set :

Server name : localhost Port : 120 (listened by Spamhilator)
Username: localhost&myaccountname&11110 (port used by Stunnel)

In Avast.ini I have:
PopRedirectPort=110,1110,1120,11110

In Stunnel I have:

client=yes
[gmail-pop3s]
accept=localhost:11110
connect=pop.gmail.com:995

When I wheck my mail with this configuration, I can get mails but they are not checked by Avast (the note about cleanness is not introduced even if I ask for it in the configuration of the Mail Shield in Avast - I have stopeed and restarted it). I can also see the protection information in the header but only for the outgoing operation (I use another account without SSL to send the message to my gmail account and this simple account is scanned for the outgoing mail).

What am I doing wrong to have the scanning of the incoming mail?

Thank you very much in advance for your help.

Murat
Title: Re: Secure Mail Server Issues
Post by: yildi on January 13, 2005, 07:19:45 PM
Is my question stupid too? I have not been able to locate a full explanation for such a configuration in these forums. So I really need your help to understand what I am doing wrong....

Murat
Title: Re: Secure Mail Server Issues
Post by: Eddy on January 13, 2005, 07:25:18 PM
Your question is not stupid at all, imo.
But your setup is very unusual. (the Stunnel part). Not much people know it or have experience with it, so it can take a couple of days before someone reads your question and is able to answer. Have a little patience I would say.

Does everything work if you leave Stunnel out of it?
Title: Re: Secure Mail Server Issues
Post by: yildi on January 13, 2005, 08:38:45 PM
Thank you for assuring me Eddy,

I have added the STunnel part following the solution proposed in this thread. This seems necessary since Avast cannot filter an SSL connection and GMail pop requires an SSL connection. Before trying this solution I could connect SSL to GMail using Thunderbird but in this case I do not benefit from the protection provided by Avast and I would not like to live as dangerously as this :-(  So, following the suggestions of this list, I am trying to put Stunnel in charge of the SSL in order for Avast to be able to filter this flow before encryption and after decryption...  I can check my mail but it is not filtered by Avast for a reason that I do not undestand (I asked Avast to listen to the corresponding port but it does not seem to recognize it as a Pop flow....).

So I have thought that the people participating to this thread would be able to help me to solve this problem....

Murat
Title: Re: Secure Mail Server Issues
Post by: Eddy on January 13, 2005, 09:07:10 PM
Quote
I would not like to live as dangerously as this
I agree, better be protected than not being protected.

Quote
So I have thought that the people participating to this thread would be able to help me to solve this problem....
I'm sure there is someone who can help you in detail on this. As I said, be patience.

In the mean time,
- open the on-acces control panel
- go to the standard-shield provider
- click "customize"
- click "scanner (advanced tab)
- enable "scan created/modified files"
- and enable/check "all files" there

That will make sure that the files (emails are stored as files on your system) are scanned, till there is another solution.
Title: Re: Secure Mail Server Issues
Post by: yildi on January 14, 2005, 01:28:21 PM
Thanks Eddy,

Knowing that all mails will nevertheless be checked by Avast is assuring. I hope that this will not slow too much my computer given all the mboxes that are modified each time I have several messages going in different mailboxes (each mailbox is a file under ThunderBird). So I would prefer to have a more standard solution but in the waiting, I feel more secured with this solution.

Thanks a lot!

Murat
Title: Solved!!!
Post by: yildi on January 14, 2005, 07:24:26 PM
OK,

I think I have solved this problem. Here is my configuration:

I am trying to configure ThunderBird - Spamhilator-Avast-Stunnel pour GMail.

I have deactivated SSL everywhere leaving Stunnel  to take care of this.

IN TB I have the following account set :

Server name : 127.0.0.1 Port : 120 (listened by Spamhilator)
Username: 127.0.0.1&myaccountname&11110 (port used by Stunnel)
                                                                (11110 is the port that will be used by Stunnel)

In Avast.ini I have:
[MailScanner]
...
PopRedirectPort=110,1110,1120,11110   #(We ask Avast to listen to this port -11110 )
SmtpRedirectPort=25,215,225,1025,11025
IgnoreLocalhost=0

The last line was missing

In Stunnel I have:

client=yes
[gmail-pop3s]
accept=127.0.0.1:11110   #Here the error was localhost instead of 127.0.0.1
connect=pop.gmail.com:995

I get now in the bottom of messages from gmail:

---
avast! Antivirus: message Entrant propre.
Base de donnÚes des virus (VPS): 0502-3, 14/01/2005
Test du: 14/01/2005 19:23:18
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com

I think that this structure could be generalized to other clients... The parts that must be adapted are the port listened by the SPAM filer (120 for Spamhilator) and the codification of the server and user names and the port to listen (11110) for the SPAM filter and AVAST. The rest should be quite generic and transposable.

I need now to launch stunnel as a service (using stunnel -install)

Murat
Title: Re: Solved!!!
Post by: Lisandro on January 14, 2005, 07:34:30 PM
I think that this structure could be generalized to other clients...

Very thanks for posting...
I'll try Stunnel again and see if I can get my GMail account.
I use Spami and avast too
Thanks  8)
Title: Re: Secure Mail Server Issues
Post by: yildi on January 14, 2005, 07:42:38 PM
I would like to know if this scheme is easy to transpose. So your expriemnt is important  :)
If you find that it works and it is easy to implement, we could propose it for the FAQ or for a sticky post....

Good luck :-)

Murat
Title: Problems again...
Post by: yildi on January 15, 2005, 01:03:04 PM
Hi,

It seems that I have rejoiced too early... :-(

Yesterday evening everything seemt to work but this morning I cannot check my normal (non SSL) POP accounts...

The problem seems to be related to

IgnoreLocalhost=0

In Avast.ini

If  IgnoreLocalhost=0, I can check gmail through Avast but when I check my normal POP accounts I get an erronr message in TB:
"Sending of password did not succeed. Mail server 120.0.0.1 responded: -ERR Cannot connect to POP server 120.0.0.1 ( 120.0.0.1 :110), self connecting"
but I can check gmail and the mails are filtered by Avast

If  IgnoreLocalhost=1, I can check my mails in the normal accounts but I cannot check gmail.

So there seems to be a contradiction between these two operations...
I would like to be able to check both kind of accounts using different ports....

Does anybody any idea about what is going here and the possibility of a solution.... I really hope that this problem has a solution...

Thank you nin advance.

Murat
Title: Re: Secure Mail Server Issues
Post by: yildi on January 15, 2005, 02:16:40 PM
Moreover this setting (IgnoreLocalhost=0) is necessary in order to use secure SMTP through GMail (through Stunnel again).

If I have IgnoreLocalhost=0, all connections through localhost:11110 (POP) and localhost:11025 (SMTP) works but the connection through 127.0.0.1:110 does give the error message of my preceding mail.

If I have  IgnoreLocalhost=1, I get just the inverse result...

It would be nice to have both type of connections workings without having to each time change avast.ini...

Murat
Title: Re: Secure Mail Server Issues
Post by: Lisandro on January 15, 2005, 02:24:41 PM
Yildi, I'm frustraded with Stunnel... I can't have make it work...
I can't install, can't find a 'complete' package to download anymore...  :'(
Title: FAQ: ThunderBird - Spamhilator-Avast-Stunnel
Post by: yildi on January 15, 2005, 03:13:32 PM
Good news,

ThunderBird - Spamhilator-Avast-Stunnel pour GMail
and
ThunderBird - Spamhilator-Avast for non SSL POP

both work now and also SecureSMTP for GMail.

My problems was due to the fact that I have missed the new working scheme of Avast 4.5 for simple POP...

Let me draft some sort of a FAQ following my recent experience.

A/ Installing and preparing STUNNEL

Download OPENSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html and install it.
Download STUNNEL for WIndows from http://www.stunnel.org/download/binaries.html. This an exe file and you can place it on any specific folder (eg. in C:\stunnel).
In the folder where you have copied stunnel, you will create its configuration file.

So launch your notepad and type the following (adapt it if necessary) in a blank document:

Code: [Select]
# We're running as a client to SSLify the GMail POP connection
client=yes

# POP3 service, listens on localhost:11110
[gmail-pop3s]
accept=127.0.0.1:11110
connect=pop.gmail.com:995 #or the SSL port of your Secure POP server if you use another service.

# SMTP service, listens on localhost:11025
[gmail-smtps]
accept=localhost:11025
connect=smtp.gmail.com:465 #or the SSL port of your Secure SMTP server if you use another service.
Save this file in the same folder as the stunnel exe under the name stunnel.conf

Open a windows command window and switch to the folder where stunnel has been placed.
Execute the following command to launch stunnel as a Windows service (you will hence be able to stop or manage it using the standard windows console for services):
stunnelexecutablename -install

stunneexecutablename will be something like stunnel-4.07 (depends on the version you download, 4.07 is the actual stable version)

Now you will observe a new icon (something like a network folder) in the right taskbar and if you double click on the icon, you will be able to open the log window (nothing very interesting will be visible for now). If you have made an error in the configuration file, stunnel will refuse to be launched. In this case check the syntax (comparing with the above one) and the ports numbers of your service.

Now we can configure the mail client.

B/ Setting the mail client.

I will assume that you have two kind of POP accounts,  one normal (toto@myserver.com) and one secured (toto2@gmail.com).
I will also assume that your SPAM filter uses the port 120 (like SPAMILATOR) if not, adapt the following instructions.

Configuring the normal POP account.

Server: localhost Port: 120 (for spamilator, adapt it for the port listened by your filter)
username: pop.myserver.com&toto  (this is format used by SPAMI, if your filter expects another scheme please adapt it)

Configuring the secure POP account
Server: localhost Port: 120 (for spamilator, adapt it for the port listened by your filter)
username: localhost&toto2&11110 

(this is format used by SPAMILATOR, if your filter expects another scheme please adapt it - the last element is the port number that will be listened by STUNNEL - and  also by AVAST, see below - in order to be converted to a  SSL flow toward pop.gmail.com, as specified in stunnel.conf)

Setting the secure SMTP for GMail:

Server: localhost  Port: 11025  (the port listened by STunnel and  by AVAST -see below)
User name: toto2

The setting of the normal SMTP is... normal.

We have a last configuration to do.

C/ Setting Avast.ini

As you probably know, this file sits in avastfolder\data subfolder.
You open it in the Notepad and locate and edit (and complete) the following section (leave the rest of the settings as such, I only give here the settings that you should modify; we will just add the ports to listen and the listeneing of these ports on the locahost - IgnoreLocalhost=0):
Code: [Select]
[MailScanner]
PopRedirectPort=110,1110,1120,11110
SmtpRedirectPort=25,215,225,1025,11025
IgnoreLocalhost=0
AutoRedirect=1
You save this file and now you must now be able to check all your accounts (the first time your mail client will ask you your passwords for the secure connections).

Tell me if this is understandable and if it works for you.

Good luck.

Murat
Title: Re: Secure Mail Server Issues
Post by: Lisandro on January 15, 2005, 03:52:35 PM
I'm troubleshotting this... It'll take some time...  8)

Continuing...
Title: Re: Secure Mail Server Issues
Post by: Lisandro on January 26, 2005, 01:58:04 AM
I'll give up...  :(
Maybe on March I'll take it again  :-[
It does not work for me... I can't login into GMail...
Title: Re: Secure Mail Server Issues
Post by: ling2 on February 22, 2005, 03:50:10 AM
Hello!

Yildi's FAQ is very good reference for me and those who want to use Stunnel to connect secure POP/IMAP/SMTP servers. Without it, I couldn't have set up my computer to do that. Thank you very much, yildi! Yildi's config, however, didn't work on me very well, and I needed to change a few things in the config. I think the changes I'd made might help some people to troubleshoot.
Added: I manually set up the email protection when I wrote this. This configuration can only work for those who manually set it up. If you use avast!4.6 or newer on Windows XP (probably on Win NT, 2000, or 2003 as well), you can't manually set it up any more. I guess if you use on Win 95, 98, or Me, you still can or need to manually set it up.

(1) In the stunnel.conf
(A) It seems like in the stunnel.conf, to comment a line out, you can use "#" or ";" only at its beginning. Therefore you should remove or move to the next line newly created yildi's comments "#or the SSL port of your Secure POP/SMTP server if you use another service."

(B) Added: If you use the TLS connection, you need to add "protocol = smtp" for the SMTP/TLS connection, and "protocol = pop3" for the POP/TLS connection.
I added "protocol = smtp" like:
Added: e.g. As Gmail's secure POP connection is the SMTP/TLS connection, you need to define the protocol for the connection as SMTP like this:
Code: [Select]
[gmail-smtps]
protocol = smtp
accept = localhost:11025
connect = smtp.gmail.com:587
Currently Google Help says the secure SMTP port is 587. I don't think you should add "protocol = pop3" for the secure POP connection. When I tried doing that, I could log in but couldn't retrieve new e-mails from my POP server.
Added: If you use the SSL connection, you shouldn't define the protocol.
e.g. As Gmail uses the POP/SSL connection, you shouldn't add the definition "protocol = pop3" for the Gmail POP connection.

Code: [Select]
[gmail-pop3s]
accept = 127.0.0.1:11110
connect = pop.gmail.com:995

(2) In the avast.ini
I think that in Pop/Smtp/ImapRedirectPort you should put only the ports where you want avast! to scan emails. For example, if you want emails to go through your email client, Spamihilator, avast!, and Stunnel or directly your remote mail server in this order, you should set in Pop/Smtp/ImapRedirectPort only the ports you use between Spamihilator and avast!. The RedirectPorts are those where avast! scans emails, not those where the servers avast! connects listen. Therefore basically you should set in Pop/Smtp/ImapRedirectPort only the ports where avast! listens, which are the same as you've set in Pop/Smtp/ImapListen.

If those above don't help you fix your problem in the email connection, you should try out the following, too.

(3) In the avast.ini again
You shouldn't set any value for IgnoreLocalhost. Remove the item or leave its value blank.


(4) In your email client's settings
If you don't set any value for IgnoreLocalhost in the avast.ini, you need to set in your email client's settings Spamihilator's, avast!'s, and Stunnel's locations and ports where they listen, for the secure connection, and Spamihilator's, avast!'s, and your POP/SMTP/IMAP servers' locations and ports where they listen, for the normal connection. For example, if you access your email client, Spamihilator, avast!, Stunnel, and your remote mail server in this order to connect the secure server, you should set in your email client the following:
mail server
127.0.0.1
(Sure you can set "localhost" for this as yildi does, too. This is Spamihilator's location.)
mail server's port
the port where Spamihilator listens
username
127.0.0.1&username#127.0.0.1:the port where Stunnel listens&the port where avast! listens
(The first "127.0.0.1" is avast!'s location. The second 127.0.0.1 is Stunnel's location.  "Mail server&username&port" is the format Spamihilator requires. "Username#mail server:port" is the format avast! requires.)

As I don't use Spamihilator, the settings in my email client are less complicated than what I've shown in (4), but all above are the changes I made. I hope the setting example in (4) will work fine for those who use Spamihilator. Wish you luck!

Added: If this configuration doesn't work, you should set the value of "IgnoreLocalhost" as 0 in the avast.ini file. Because you've manually defined what ports avast! should listens and scans, avast! can scan without the setting "IgnoreLocalhost = 1" what it has to.

PS: I posted this just before I updated avast! to 4.6. The information in this post can be applied to avast!4.5, not to avast!4.6. To see my rough explanation about the configuration for avast!4.6, go to http://forum.avast.com/index.php?topic=8775.msg96725#msg96725.
I'm sorry for this mess.

Title: Re: Secure Mail Server Issues
Post by: sded on February 22, 2005, 05:12:01 AM
Couple of observations.
1) If I set IgnoreLocalHost to blank, my incoming mail no longer gets scanned by Avast! (verification message goes away).
2) I am able to send mail through Stunnel using smtp to port 587, but when I try to scan it in Avast! along the way I get a "server is not RFC2487 compliant" error message in Stunnel and don't understand why .
Maybe I'll look at it some more tomorrowl.
Title: Re: Secure Mail Server Issues
Post by: sded on February 22, 2005, 05:20:37 AM
BTW, I am not using gmail but an ISP smtp server that uses port 25 for TLS secure smtp.
Title: Re: Secure Mail Server Issues
Post by: sded on February 22, 2005, 05:45:07 AM
S---!  Problem was a typo.  I put in 10025 instead of 11025.  If I enter 127.0.0.1 and 11025 into the client (Thunderbird), tell Avast! to watch 11025, Stunnel to watch 25 and connect to 587 all works.  But still need IgnoreLocalHost=0 .  Thanks for letting us know about 587; 465 didn't work for me.  So now a FAQ for doing secure scanning with Stunnel for both POP3 and SMTP.
Title: Re: Secure Mail Server Issues
Post by: ling2 on February 22, 2005, 07:06:34 AM
My workaround worked fine with avast!4.5. I've just updated avast! to 4.6 and found a few things changed.

[1] Avast! 4.6 doesn't seem to accept the setting in your mail client such as "username#mailserver:port". Therefore (3) and (4) in my workaround posted above don't work any more. (2) has to be revised, too. (Refer to the information below [2].)

[2] In Resident task settings for Internet Mail in avast!4.6 you can set redirect ports and decide if avast! should ignore local communication or not. (Up to avast!4.5, you had to open the avast.ini file and set the values for Pop/Smtp/ImapRedirectPort and IgnoreLocalhost if you wanted to set them.) In the Redirect tab in Resident task settings for Internet Mail, you should uncheck "Ignore local communication" and set up the redirected ports. When you do that, the values will be written in the avast.ini file.
I think, if you get your email to go through your mail client, Spamihilator, avast!, Stunnel, and your remote mail server in this order, you need to set as the redirected port the port where Stunnel listens. If you get your email to go through your mail client, Spamihilator, avast!, and your remote mail server in this order, you need to set as the redirected port the port where your remote mail server listens, that is, your mail server's port.

[3] In avast!4.6 the default listen ports seem to be 12110 for POP, 12025 for SMTP, 12143 for IMAP, and 12119 for NNTP, or the standard ports for all protocols (110 for POP, 25 for SMTP, 143 for IMAP, 119 for NNTP). You might change them in the avast.ini file if you need to. You can't manipulate these values through Resident task settings. If you set up the listen ports before updating to avast!4.6, the ports you've set seem not to be changed in updating. (But the listen port for NNTP was never set before, so it was set as 12119 when I updated avast! and restarted my computer.)

I have to change my settings now because I've used "username#mailserver:port" style settings. Anyway, you need to set 0 as the value for "IgnoreLocalhost" in avast!4.6, I believe.

I will post a better explanation later.
Title: Re: Secure Mail Server Issues
Post by: ling2 on February 22, 2005, 07:47:26 AM
Quote from: sded
BTW, I am not using gmail but an ISP smtp server that uses port 25 for TLS secure smtp.
S---!  Problem was a typo.  I put in 10025 instead of 11025.  If I enter 127.0.0.1 and 11025 into the client (Thunderbird), tell Avast! to watch 11025, Stunnel to watch 25 and connect to 587 all works.  But still need IgnoreLocalHost=0 .  Thanks for letting us know about 587; 465 didn't work for me.  So now a FAQ for doing secure scanning with Stunnel for both POP3 and SMTP.
As I wrote in the previous post, you need "IgnoreLocalhost=0" in the avast.ini file. (Only when you want to manually set up your email protection in avast!4.5 or under, you need to set the value of "IgnoreLocalhost" as 0.)

In avast!4.6 you can uncheck "Ignore local communication" in Resident task settings for Internet Mail, which set the value for IgnoreLocalhost as 0.

If you don't use Gmail and your ISP's SMTP server listens on (=use) the port 25, you can't and shouldn't use the port 587. You should write in the stunnel.conf file like this:
Code: [Select]
[yourISP-smtps]
protocol = smtp
accept = localhost:11025
connect = yourISP'sSMTPservername:25
Please don't use the port 587 in any setting.

465 is the default port for the SMTP/SSL connection, but some services use other ports for the connection.

When you use the SMTP/TLS connection,  you need to put "protocol = smtp" in the stunnel.conf file. When you use the SMTP/SSL connection, you shouldn't.

(I guess when you use the POP/TLS connection, you need to put "protocol = pop3" in the stunnel.conf file, and that when you use the POP/SSL connection, you shouldn't, as well.)

According to you, your ISP uses the SMTP/TLS connection as does Gmail. As another example, AOL uses SMTP/SSL connection. (If you need the information on AOL's IMAP/SMTP SSL support, go to http://journals.aol.com/adamkb/blog/entries/386.)
Title: Re: Secure Mail Server Issues
Post by: sded on February 22, 2005, 03:11:59 PM
Convention seems to follow Outlook Express for many US ISPs.  Haven't used AOL.  POP3 mail is SSL on port 995, SMTP is TLS on port 25, which OE call SSL.  If you use Thunderbird, you need to indicate TLS not SSL for SMTP to work .  SMTP works  for my ISP with either 25 or 587 as the port in stunnel.conf.  Now using

# We're running as a client to SSLify the POP/SMTP connections
client=yes

# POP3 service, listens on localhost:11110
[xxxx-pop3s]
accept=localhost:11110
connect=mail.xxxx.com:995

# SMTP service, listens on localhost:11025
[xxxx-smtps]
protocol=smtp
accept=localhost:11025
connect=smtp.xxxx.com:25

With 11110 and 11025 the ports in Thunderbird (servers 127.0.0.1) and the redirect ports in Avast!   Never need to go to Avast.ini in 4.6. 
Title: Re: Secure Mail Server Issues
Post by: ling2 on February 22, 2005, 10:46:01 PM
Sded, thank you for summing up by using your conditions as an example. You've provided other useful information, too:

Outlook Express doesn't distinguish SSL from TLS in its settings. (You don't have to define the type of the secure connection you use.)
Thunderbird distinguishes SSL from TLS in its settings.
Stunnel distinguishes SSL from TLS in the stunnel.conf file.

As I said in my previous posts, if you use Stunnel, you need to define "protocol" for the TLS connection, but shouldn't for the SSL connection in the stunnel.conf file.
Title: How to handle the secure connection with a SPAM filter and avast!
Post by: ling2 on February 23, 2005, 05:51:41 AM
I think that on the update to avast!4.6 we need to revise yildi's FAQ on how to handle the secure connection with a SPAM filtering application and avast!'s email protection (http://forum.avast.com/index.php?topic=8775.msg88173#msg88173). I'll draft the revised FAQ here. This FAQ sure is based on yildi's FAQ (http://forum.avast.com/index.php?topic=8775.msg88173#msg88173). I'll just add some new information to his and reorganize it. Thank you for providing useful information, yildi!

How to handle the SSL or TLS connection with a SPAM filter and avast!
This FAQ will be useful for those who want to use the email client, the SPAM filter, avast!, and Stunnel in this order for the secure connection.

For Windows NT, 2000, XP, and 2003 users

A. Installing and preparing Stunnel
Download OpenSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html and install it.

Download Stunnel for Windows from http://www.stunnel.org/download/binaries.html. You need to download Stunnel that can work with the version of OpenSSL you've just installed.

Stunnel you've downloaded is not an installer but the Stunnel application itself, and you can place it in any specific folder (e.g. in C:\stunnel).

In the folder where you have copied Stunnel, you will create its configuration file. Launch Notepad and type the following (adapt it if necessary) in the blank document:
Code: [Select]
; have Stunnel work as a client (not as a server)
client=yes

; POP3 service, listens on localhost:11110
[gmail-pop3s]
accept=127.0.0.1:11110
connect=pop.gmail.com:995
; or your secure POP server's name and port

; SMTP service, listens on localhost:11025
[gmail-smtps]
protocol=smtp
accept=localhost:11025
connect=smtp.gmail.com:587
; or your secure SMTP server's name and port

If you use the TLS connection, you need to define the protocol that is used in the connection. If you use the SSL connection, you shouldn't. For example, Gmail uses the SSL connection on the POP server. Therefore you shouldn't add "protocol=pop3" in the configuration file like in the code above. On the other hand, Gmail uses the TLS connection on the SMTP server. Therefore you need to add "protocol=smtp" like in the code above.
Warning to IMAP account holders: Whatever kind of secure IMAP account you have, you don't have to define the protocol. Although you can use the IMAP connection with Stunnel, "imap4" or "imap" as a value of "protocol" isn't defined in Stunnel. I guess it doesn't need to be defined.

Save this file under the name of stunnel.conf in the same folder as you've copied Stunnel in.

Open Command Prompt. (To do that, from the Start menu go to "Run", and type cmd on Windows NT, 2000, XP, and 2003, or command on Windows 9x or Me.) In Command Prompt switch to the folder where Stunnel has been placed. (To do that, type cd c:\stunnel and hit Enter if you've placed Stunnel in C:\stunnel.) In Command Prompt type stunnelfilename.exe -install and hit Enter. ("Stunnelfilename.exe" will be something like stunnel-4.07.exe, which is the file name of Stunnel you have on your hard drive. It depends on the version of Stunnel you've downloaded. 4.07 is the most recent stable version currently.) By doing that, you can launch Stunnel as a Windows service. Hence, Stunnel will start up whenever you start Windows, and you will be able to stop or manage it using the standard Windows console for services.

Now you will observe a new icon (something like a network folder) in the task bar and if you double-click on the icon, you will be able to open the log window (nothing very interesting will be visible for now). If you have made an error in the configuration file, stunnel will refuse to be launched. In this case check the syntax (comparing yours with the code above) and the port numbers of your remote mail servers.

B. Setting the mail client
I will assume that you have two kinds of POP accounts, one normal account (toto@myserver.com) and one secure account (toto2@gmail.com).
I will also assume that your SPAM filter uses the port 120 (like Spamihilator). If not, adapt the following instructions.
Warning to Gmail users: For a Gmail username in the mail client settings, you should set something like toto2@gmail.com, not like "toto2". (It can also work, though.) Although I'll use "toto2" for a Gmail username in the following instructions because I don't want those who use other services to get confused, Gmail Help says "@gmail.com" should be included in a Gmail username.

Configure the normal POP account like this:

Configure the secure POP account like this:

Configure the secure SMTP access like this:

The setting for the normal SMTP access is... normal.

C. Setting avast!
Please make sure you use avast!4.6 or later. (To do that, right-click on the avast! tray icon, the ball-shaped icon with "a" on it, and select "About avast!..." then you can see what version you use.) If you don't use avast!4.6 or later, you need to update avast! to 4.6 or later. (To update the program, right-click on the avast! tray icon, and go to "Updating" > "Program Update". When the download and install are done, you need to restart your computer.)

Right-click on the avast! tray icon. Select "On-Access Protection Control". Choose "Internet Mail" from "Installed providers", the pane on the left side of the "avast! On-Access Scanner" window. Click on the "Customize" button on the right side of the window. Click on the "Redirect" tab. First uncheck "Ignore local communication" in the tab. Then put in "Redirected ports" both port numbers where Stunnel listens and where your remote non-secure mail server listens.

e.g. Let's assume you have one normal POP account whose POP server listens on the port 110 and whose SMTP server listens on the port 25, and one secure POP account whose POP and SMTP servers and the ports where they listen are defined in the stunnel.conf file. In "Redirected ports" you need to put 110 and 11110 for POP, and 25 and 11025 for SMTP.

These port numbers are where you want avast! to scan emails.

If this configuration doesn't work for you...  I'll write about that later here in this post.

For Windows 95, 98, and Me users

Please refer to this post (http://forum.avast.com/index.php?topic=8775.msg97240#msg97240).
Title: Re: Secure Mail Server Issues
Post by: scaa on February 23, 2005, 02:18:57 PM
Ling2 has given a very concise and organized way of configuring SSL.
I would like ALWIL to confirm the settings so that these could be done by us.
I am also using gmail but my mails are not been checked by avast 4.6 >:(
Title: Re: Secure Mail Server Issues
Post by: bob3160 on February 23, 2005, 04:43:21 PM
scaa
Unless you use Outlook (not OE), avast doesn't support SSL.
You therefore have to use Stunnel.
Title: Re: Secure Mail Server Issues
Post by: ling2 on February 23, 2005, 08:53:59 PM
Ling2 has given a very concise and organized way of configuring SSL.
Thank you for your compliment, but this has been done not by me but by many members in this forum. I just modified it and added some new information. We should thank the members that have gathered and organized the information we need to use the secure connection with avast!.
I am also using gmail but my mails are not been checked by avast 4.6 >:(
The FAQ I wrote is for those who use the email client, the SPAM filter, avast!, and Stunnel in this order for the secure connection. If you are a Windows NT, 2000, XP, or 2003 user and use Gmail with only the email client, avast!, and Stunnel, you can do the following things to configure them:

(1) Follow A. in FAQ to prepare Stunnel. You can use the code in A. for the stunnel.conf file without modifying it.

(2) Set up your Gmail account in your email client like this:
POP access
SMTP access
The servers are where Stunnel is, and the ports are where Stunnel listens.

(3) Right-click on the avast! tray icon. Select "On-Access Protection Control". Choose "Internet Mail" from "Installed providers", the pane on the left side of the "avast! On-Access Scanner" window. Click on the "Customize" button on the right side of the window. Click on the "Redirect" tab. First uncheck "Ignore local communication" in the tab. Then add in "Redirected ports" 11110 for POP and 11025 for SMTP. These ports are where Stunnel listens, and where avast! will scan emails you send and receive over your Gmail account.

Don't forget to turn off "Ignore local communication" in (3). In the "POP" and "SMTP" tabs make sure you've checked "Scan Inbound/Outbound mail".

If you can't have avast! scan your emails on Gmail yet, feel free to ask me a question providing some more information on yours.
Title: How to handle the SSL or TLS connection with a SPAM filter and avast! Part2
Post by: ling2 on February 23, 2005, 10:53:33 PM
How to handle the SSL or TLS connection with a SPAM filter and avast!
This FAQ will be useful for those who want to use the email client, the SPAM filter, avast!, and Stunnel in this order for the secure connection.

For Windows 95, 98, and Me users

I guess Windows 9x and Me users still need to manually set up avast!'s email protection to configure Stunnel with avast! and a SPAM filter. As I use avast!4.6 on Windows XP and 4.6 doesn't allow me to manually set it up any longer, I can't make sure the following configuration works fine. As this is what I did with avast!4.5, however, I think it will work fine for those who need to manually set up the email protection.

A. Installing and preparing Stunnel
Refer to "A. Installing and preparing Stunnel" for Windows NT, 2000, XP, and 2003 users (http://forum.avast.com/index.php?topic=8775.msg97026#msg97026).

B. Setting the mail client
I will assume that you have two kinds of POP accounts, one normal account (toto@myserver.com) and one secure account (toto2@gmail.com).
I will also assume that your SPAM filter uses the port 120 (like Spamihilator). If not, adapt the following instructions.
Warning to Gmail users: For a Gmail username in the mail client settings, you should set something like toto2@gmail.com, not like "toto2". (It can also work, though.) Although I'll use "toto2" for a Gmail username in the following instructions because I don't want those who use other services to get confused, Gmail Help says "@gmail.com" should be included in a Gmail username.

Configure the normal POP account like this:

Configure the normal SMTP access like this:

Configure the secure POP account like this:

Configure the secure SMTP access like this:

C. Setting avast!
As you probably know, the avast4.ini file sits in the DATA folder in the folder where avast! has been installed. It is C:\Programs\Alwil Software\Avast4\DATA by default. If you can't find it, use "Search" to look for avast4.ini.

Open it in Notepad and locate the item named [MailScanner]. Under [MailScanner] you need to add the following values:
Code: [Select]
PopListen=127.0.0.1:110
SmtpListen=127.0.0.1:25
PopRedirectPort=110
SmtpRedirectPort=25
AutoRedirect=1
IgnoreLocalhost=0

Leave intact the other values except those above under [MailScanner] in the avast4.ini file. It seems that when you manually set up avast!'s email protection, you should set as the redirected ports (Pop/SmtpRedirectPort) only the port numbers where avast! listens. If you have a problem with this setting, you should delete the line "IgnoreLocalhost=0" because in your email client settings you tell avast! where avast! has to scan, which is the localhost (127.0.0.1).


For Windows NT, 2000, XP, and 2003 users

Please refer to this post (http://forum.avast.com/index.php?topic=8775.msg97026#msg97026).
Title: Re: Secure Mail Server Issues
Post by: scaa on February 24, 2005, 08:40:52 AM
Even if the mail under SSL is not checked, is it possible that standard shield will check the same when the mail or the attachments in gmail are opened in the computer? ::)
Title: Re: Secure Mail Server Issues
Post by: ling2 on February 24, 2005, 06:56:45 PM
Even if the mail under SSL is not checked, is it possible that standard shield will check the same when the mail or the attachments in gmail are opened in the computer? ::)

Sure Standard Shield will. You should set the sensitivity of Standard Shield at "High".

As Gmail bounces an incoming mail with an executable file as an attachment on it, it's a bit safer than other email services that way.
Title: Re: Secure Mail Server Issues
Post by: GL44 on April 18, 2005, 05:20:44 PM
Using Avast with stunnel but without a spam filter:

I have had success with Thunderbird  1.0.2 and stunnel.
I don't need a spam filter since the ISP does that job for me (and quite well).

It was a bit confusing in previous posts to see the references to Gmail and setting it up to use a spam filter so I thought I would post a more generic setup where no spam filter was needed and a more generic ISP was used.

Here is what works for me:

stunnel.conf looks like this (needless to say you must replace ISPname with the actual name of your ISP):
# stunnel client for ISPname
client=yes

# POP3 service, listens on localhost:11110
[ISPname-pop3s]
accept=localhost:11110
connect=mail.ISPname.com:995

#SMTP
[ISPname-smtps]
protocol=smtp
accept=localhost:11025
connect=mail.ISPname.com:587

I think the above ports (995 and 587) are quite standard values for a lot of ISPs.

In Thunderbird, you go to Server Settings and fill in the setting for your account as follows:

POP server settings:
ServerName is 127.0.0.1
Port is 11110
User name is in the following format: username@mail.ISPname.com

Please note that when Avast is being used by itself (without SSL), the  format for username is username#mail.ISPname.com which is something I forgot to change when I was implementing SSL. So don't forget to change # to @ when you do this.

smtp settings:
ServerName is 127.0.0.1
Port is 11025
Put a check mark for "User name and password:"
In the user name field ONLY put your user name. Do not put the domain. At least this is what I had to do to get outgoing messages to work for my ISP. When you were using the regular non-SSL mail with Avast, you didn't need to supply this user name but now that we are using stunnel you must supply it.

I am using Avast 4.6. If you try to make changes to the avast.ini file as has been noted in previous posts, your changes will be futile because they will lost when you reboot. Avast will rewrite the ini file on system restart. Note - this was my fault, I did not notice those instructions were for the 4.5 version. So if you have Avast 4.6 don't even think about editing the avast.ini file. The way you must do it is right-click on the avast systray icon, select On-access Protection control, select Internet Mail, select Customize, click on Redirect tab and change redirected ports so that POP is 11110 and smtp is 11025. Click OK.

That is it. Thunderbird will ask for your email password because you have changed settings but after that it is perfect. You can then click on the stunnel icon and see that the communication is happening on secure channels which is very comforting :).

I think ISPs are encouraging people to use secure mail, so I have changed all my accounts accordingly.
Title: Re: Secure Mail Server Issues
Post by: ling2 on April 18, 2005, 08:04:32 PM
I am using Avast 4.6. If you try to make changes to the avast.ini file as has been noted in previous posts, your changes will be futile because they will lost when you reboot. Avast will rewrite the ini file on system restart. Note - this was my fault, I did not notice those instructions were for the 4.5 version. So if you have Avast 4.6 don't even think about editing the avast.ini file. The way you must do it is right-click on the avast systray icon, select On-access Protection control, select Internet Mail, select Customize, click on Redirect tab and change redirected ports so that POP is 11110 and smtp is 11025. Click OK.

Both instructions for Windows NT, 2000, XP, and 2003 users (http://forum.avast.com/index.php?topic=8775.msg97026#msg97026) and ones for Windows 95, 98, and Me users (http://forum.avast.com/index.php?topic=8775.msg97240#msg97240) are aimed at avast! 4.6 users.

As it is said in the Redirect tab that the Redirect tab is not available for Windows 95, 98, and Me users, I guess, they still need to modify the avast.ini file manually. Windows NT, 2000, XP, and 2003 users must use the Redirect tab to add any change to the avast.ini file as I wrote in the previous post (http://forum.avast.com/index.php?topic=8775.msg97026#msg97026).

Then, if you're a Windows NT, 2000, XP, or 2003 user and don't use a spam filter such as Spamihilator, you should follow GL44's post just above this one.
Title: Re: Secure Mail Server Issues
Post by: troubleshooting on July 19, 2005, 06:30:21 PM
did anyone sucessfully scan the mails of gmail though avast 4.6V in outlook express 6.0V?
Title: Re: Secure Mail Server Issues
Post by: DavidR on July 19, 2005, 08:41:00 PM
Yes they have, but not without using third party software. Do a forum search fro gmail and stunnel, this has been discussed many times before.
Title: Re: Secure Mail Server Issues
Post by: sded on July 19, 2005, 09:28:37 PM
For detailed instructions with gmail, see http://forum.avast.com/index.php?topic=14854.msg125401#msg125401