Author Topic: Unable To Access eMail With MailShield Enabled  (Read 11895 times)

0 Members and 1 Guest are viewing this topic.

Fenikkusu

  • Guest
Unable To Access eMail With MailShield Enabled
« on: March 01, 2013, 03:39:36 AM »
I'm up-to-date.  However, I'm still unable to connect to my email with the MailShield enabled. I'm running 3 accounts in Thunderbird. 2 non-standard and 1 GMail account. Prior to the SSL updates, my 2 non-standards worked but my Gmail did not. My error logs show the following line:

com.avast.proxy[6532]: SSL_accept(): sslv3 alert bad certificate

It should be noted that the 2 non-standard while both valid certificates, do not map to the domain for which they are actually registered (Nothing I can do about this).

daz clarke

  • Guest
Re: Unable To Access eMail With MailShield Enabled
« Reply #1 on: March 01, 2013, 07:16:13 PM »
i just had the same problem, try disabling the ipv6 support in avast preferences, worked for me. i also had to disable it in the web shield as it made my internet connection unbearably slow.

shadowshu

  • Guest
Re: Unable To Access eMail With MailShield Enabled
« Reply #2 on: March 06, 2013, 01:28:47 AM »
Same thing here ~6-7 email accounts spread all over comcast, gmail, host company, work account via exchange and as soon as I turned on mail shield all of them couldnt connect.  I unchecked IPv6 and so far its working (all accounts connecting and seeing # of items scanned for mail), thanks for the tip.

EDIT - didnt have to disable IPv6 anywhere but the mail shield settings for it to work for me.

Fenikkusu

  • Guest
Re: Unable To Access eMail With MailShield Enabled
« Reply #3 on: March 07, 2013, 03:57:23 AM »
Disabling IPv6 has no affect.

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Unable To Access eMail With MailShield Enabled
« Reply #4 on: March 07, 2013, 02:39:30 PM »
In your case you'll have to add the avast! untrusted certificate to thunberbird's certs.

This happens because even thou the self-signed certs are in the corresponding keychain (or the equivalent in thunderbird) and marked as trusted avast! doesn't resign using the avast! Trusted Cert and uses the Untrusted. I tried to bring attention to this issue during the Beta but it was ignored, so hey, I did my part *shrug*.
« Last Edit: March 07, 2013, 04:21:12 PM by specimen9999 »

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
Re: Unable To Access eMail With MailShield Enabled
« Reply #5 on: March 07, 2013, 05:18:39 PM »
This happens because even thou the self-signed certs are in the corresponding keychain (or the equivalent in thunderbird) and marked as trusted avast! doesn't resign using the avast! Trusted Cert and uses the Untrusted. I tried to bring attention to this issue during the Beta but it was ignored, so hey, I did my part *shrug*.

If the (self signed) certificate is in one of the "System" or "System Roots" keychains, where the proxy takes its own certificates from, then it works fine = the certificate is resigned with the "avast! trusted CA" certificate. So to connect to a server that is using a self signed certificate with mail shield enabled (and SSL scanning turned on), you have to import the servers certificate to the "System" keychain.

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Unable To Access eMail With MailShield Enabled
« Reply #6 on: March 07, 2013, 06:09:51 PM »
This happens because even thou the self-signed certs are in the corresponding keychain (or the equivalent in thunderbird) and marked as trusted avast! doesn't resign using the avast! Trusted Cert and uses the Untrusted. I tried to bring attention to this issue during the Beta but it was ignored, so hey, I did my part *shrug*.

If the (self signed) certificate is in one of the "System" or "System Roots" keychains, where the proxy takes its own certificates from, then it works fine = the certificate is resigned with the "avast! trusted CA" certificate. So to connect to a server that is using a self signed certificate with mail shield enabled (and SSL scanning turned on), you have to import the servers certificate to the "System" keychain.

That's exactly my case but avast keeps signing it with avast! untrusted, I suspect the nuance here is the fact that like the thread starter, my self-signed cert does not map to the domain it's registered to (it redirects, it's basically a virtual server with multiple mail domains and the certs all map to the server's domain and not the virtual domains).

This setup works without mailshield enabled because I imported the self-signed cert into the system keychain, but with mailshield on it asks me to trust avast! untrusted.
« Last Edit: March 07, 2013, 06:12:50 PM by specimen9999 »

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Unable To Access eMail With MailShield Enabled
« Reply #7 on: March 08, 2013, 01:42:01 PM »
At least you could say you can't reproduce it, but THERE IS a problem with self-signed certs.

shadowshu

  • Guest
Re: Unable To Access eMail With MailShield Enabled
« Reply #8 on: March 09, 2013, 12:43:50 AM »
IPv6 unchecked worked for a day now back to issues with it.  Any chance of a real fix from Avast without having to deal with untrusted/trusted certs being discussed above?  Or provide step by step instructions to manage the certs for Avast to play nice with my mail accounts?

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
Re: Unable To Access eMail With MailShield Enabled
« Reply #9 on: March 11, 2013, 12:38:31 PM »

That's exactly my case but avast keeps signing it with avast! untrusted, I suspect the nuance here is the fact that like the thread starter, my self-signed cert does not map to the domain it's registered to (it redirects, it's basically a virtual server with multiple mail domains and the certs all map to the server's domain and not the virtual domains).

This setup works without mailshield enabled because I imported the self-signed cert into the system keychain, but with mailshield on it asks me to trust avast! untrusted.

The invalid common name (CN) can not be an issue for the proxy - it does not check the CN, this is done by the mail client (the proxy does not know the demanded domain). So if the certificate chain is OK, then the server certificate will be resigned with the "trusted CA" regardless of the CN value. It is than the mail client's job to decide, whether the CN matches or not.

I assume your problem is in fact caused by a missing root certificate. That means your mail server in fact does not send an self-signed certificate, but a certificate signed by a "self generated" CA. In this case, you have to import the "self generated" CA's certificate to the system keychain, not the server certificate itself.

I can check this, if you give me the mail server address and the server is accessible on the internet (no login needed).

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Unable To Access eMail With MailShield Enabled
« Reply #10 on: March 11, 2013, 02:22:51 PM »
That makes sense tumic, that's probably it!

I'll send you the info via PM.
« Last Edit: March 11, 2013, 02:28:07 PM by specimen9999 »

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
Re: Unable To Access eMail With MailShield Enabled
« Reply #11 on: March 11, 2013, 02:52:33 PM »
That makes sense tumic, that's probably it!

I'll send you the info via PM.

Unfortunately, the server you have send me using the PM, has really a self-signed certificate, so this is not the case. However, when I add its certificate to the 'System' keychain (and restart the proxy - this is required for the proxy to re-read the certificates), it works fine for me, i get it resigned using the 'trusted CA' when connecting with mailshield enabled.

orangepick

  • Guest
Re: Unable To Access eMail With MailShield Enabled
« Reply #12 on: March 11, 2013, 03:56:18 PM »
I am using thunderbird (current version) and Mountain Lion (current version), Avast (current version). I have a pop account using SSL/TLS and 3 gmail accounts using IMAP, no mail comes in until I disable MailShield, I don't get any errors just no mail. Once I disable MailShield I get all my mail, this has only been an issue since the last Avast update. I see comments about the certs, is there a link to a step by step of how to fix this? Thanks in advance for any assistance.

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
Re: Unable To Access eMail With MailShield Enabled
« Reply #13 on: March 12, 2013, 12:37:07 PM »
I am using thunderbird (current version) and Mountain Lion (current version), Avast (current version). I have a pop account using SSL/TLS and 3 gmail accounts using IMAP, no mail comes in until I disable MailShield, I don't get any errors just no mail. Once I disable MailShield I get all my mail, this has only been an issue since the last Avast update. I see comments about the certs, is there a link to a step by step of how to fix this? Thanks in advance for any assistance.

  • Chceck if you have the "avast! trusted CA" certificate installed in Thunderbird and that it matches the certificate in the "System Roots" keychain. If it is missing or not matching, export the certificate from the keychain and import it into Thunderbird
  • Look into the system log file (/var/log/system.log) for com.avast.proxy messages, they will give you most likely the info what's going on.

orangepick

  • Guest
Re: Unable To Access eMail With MailShield Enabled
« Reply #14 on: March 15, 2013, 09:17:23 PM »
tumic,

Avast build 38501 just downloaded, I turned mailshield back on (without messing with the certs) and my mail seems to be coming in just fine now using SSL on pop3 and gmail (IMap). This build seems to have fixed the problem on OSX 10.8.2