Author Topic: Secure Mail Server Issues  (Read 80128 times)

0 Members and 1 Guest are viewing this topic.

shatadal

  • Guest
Re:Secure Mail Server Issues
« Reply #15 on: November 25, 2004, 10:20:48 AM »
Maybe this post is off-topic but since we have been discussing stunnel in this thread I have a question regarding its use.

So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.

If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.

Now when I disable the avast mail scanner and try to connect to my smtp server over port 25 via SSL I get a certificate in the client asking me to either reject it or accept it temporarily for the current session or accept permanently. Once I accept it I am able to send e-mails via SSL over port 25 of the smtp server. However I am not very keen on disabling the mail scanner.

It therefore seems that the time out error or the server's refusal to accept SMTP connections is because stunnel ignores the certificate.

Could t_r_davies or somebody else teach me how to accept certificates into stunnel?

I am using:
Thunderbird 0.9
Win XP
stunnel 4.05
Avast 4.5

gwheaton

  • Guest
Re:Secure Mail Server Issues
« Reply #16 on: November 26, 2004, 05:23:32 AM »
t_r_davies,

Thanks for the info.  I have a gmail.com account and it requires SSL,  One problem I am having is when sending email.  (I can recieve gmail.com email and avast is scanning and inserting the clean tag with out a problem)

my stunnel.conf file is:

# We're running as a client to SSLify the gmail mail connection
client=yes

# POP3 service, listens on localhost:110
[gmail-pop3s]
accept=localhost:10110
connect=pop.gmail.com:995

# SMTP service, listens on localhost:25
[gmail-smtps]
accept=localhost:1025
connect=smtp.gmail.com:587

My avast4.ini:

[MailScanner]
IgnoreLocalhost=0
PopRedirectPort=110,1110,1120,10110
SmtpRedirectPort=25,215,225,1025
ShowTrayIcon=1


when I try to send, I get an error in Thunderbird that "connecting to SMTP server localhost failed"  

The stunnel log file shows:
2004.11.25 23:21:20 LOG3[1960:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Any ideas?

Thanks,

Gordon

pekka

  • Guest
Re:Secure Mail Server Issues
« Reply #17 on: November 26, 2004, 12:31:15 PM »
Try:

# SMTP service, listens on localhost:25
[gmail-smtps]
accept=localhost:1025
connect=smtp.gmail.com:587
protocol=smtp

t_r_davies

  • Guest
Re:Secure Mail Server Issues
« Reply #18 on: November 26, 2004, 04:03:42 PM »
So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.

If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.

Hi shatadal.

As far as I can see, stunnel can't help you in this situation.  It appears your mailserver is using STARTTLS to secure the connection, not normal SSL.  STARTTLS is an extended SMTP command issued by the client to start a secure TLS (the successor to SSLv3) channel using the existing connection.  By doing this, mail servers only need listen on one port (25) and be able to handle both secure and unsecure connections, instead of listening on port 25 for unsecure and port 465 for secure connections.  This is now the IETF-recommended (I think) method of securing connections, and the same technique can be used for HTTP connections (possibly POP3 and IMAP as well, I'm not entirely sure).  See RFC2487: http://www.ietf.org/rfc/rfc2487.txt.

:)

gwheaton

  • Guest
Re:Secure Mail Server Issues
« Reply #19 on: November 26, 2004, 04:24:36 PM »
Thanks, but get the same error that it can not connect to localhost:

Error from thunderbird:

"Sending of message failed.
An error occurred sending mail: Unable to connect to SMTP server localhost.  The server may be down or bay be incorrectly configured.  Please verify that your Mail/News account settings are correct and try again."

stunnel Log:

2004.11.26 10:25:30 LOG5[2412:3940]: stunnel 4.05 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7e 25 Oct 2004
2004.11.26 10:25:30 LOG5[2412:2380]: WIN32 platform: 30000 clients allowed
2004.11.26 10:25:43 LOG5[2412:320]: gmail-smtps connected from 127.0.0.1:2009
2004.11.26 10:25:43 LOG5[2412:320]: Negotiations for smtp (client side) started
2004.11.26 10:25:44 LOG5[2412:320]: Protocol negotiation succeded
2004.11.26 10:25:48 LOG5[2412:320]: Connection closed: 18 bytes sent to SSL, 116 bytes sent to socket

Any Ideas?

Gordon


Try:

# SMTP service, listens on localhost:25
[gmail-smtps]
accept=localhost:1025
connect=smtp.gmail.com:587
protocol=smtp


t_r_davies

  • Guest
Re:Secure Mail Server Issues
« Reply #20 on: November 26, 2004, 06:30:50 PM »
Hi gwheaton,

Can't help you just now, sorry, I'm just going to catch the train for the weekend away, but I'll be back on Sunday afternoon sometime.  Should be able to help you out further then.  From a quick look at the symptoms, it looks like there's something going wrong during the SSL protocol negotiation.  I'll chew it over and see if I can come up with a solution for you for Sunday :)

gwheaton

  • Guest
Re:Secure Mail Server Issues
« Reply #21 on: November 27, 2004, 03:45:40 AM »
Thanks   t_r_davies

If you have any ideas, that would be great.  For now I turned off using stunnel for SMTP and am just using it to get email from the pop3 server.  At least avast is scanning incoming email from gmail.com now and that is what I really wanted.  

If I can get SMTP working GREAT, if not, that's fine.

Thanks again,

Gordon

shatadal

  • Guest
Re:Secure Mail Server Issues
« Reply #22 on: November 28, 2004, 11:35:25 PM »
So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.

If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.

Hi shatadal.

As far as I can see, stunnel can't help you in this situation.  It appears your mailserver is using STARTTLS to secure the connection, not normal SSL.  

I think you are right that stunnel has nothing to do with it. Instead I think avast has something to do with it. While avast and stunnel work perfectly for another SSL protected e-mail account, the account I am having problems with is a TLS protected account. When I terminate the Avast internet mail subsystem then stunnel works perfectly (well almost, there is some problem regarding copying the message to the sent items folder), forwarding the message to my server over TLS. But if the subsystem is running or paused my mail client just times out.

I am using avast 4.5.523. Supposedly 4.5.536 takes care of SSL connections but I am waiting for a stable release before installing it.

shatadal

  • Guest
Re:Secure Mail Server Issues
« Reply #23 on: November 30, 2004, 12:41:50 AM »

<snip>

I am using avast 4.5.523. Supposedly 4.5.536 takes care of SSL connections but I am waiting for a stable release before installing it.

Well 4.5.542 doesn't take care of the problem.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Secure Mail Server Issues
« Reply #24 on: November 30, 2004, 02:51:22 AM »
It is starting to sound that you haven't setup the mail correctly (no offense) please use the search option on this board. keyword=ssl

Let us know if you where able to solve it with the info you found or not.

shatadal

  • Guest
Re:Secure Mail Server Issues
« Reply #25 on: December 01, 2004, 02:08:39 AM »
It is starting to sound that you haven't setup the mail correctly (no offense) please use the search option on this board. keyword=ssl

Let us know if you where able to solve it with the info you found or not.

No offense taken but I am sure it is a problem with Avast. When I switch off the mail scanner module my mail client can make the TLS connection perfectly.

Avast doesn't cause any problems with my other SSL enabled mails when I route them through stunnel but I think it cannot handle TLS connections gracefully.

t_r_davies said he was going to write more on this issue when he comes back so I am waiting for his advice.

RLGyde

  • Guest
Re:Secure Mail Server Issues
« Reply #26 on: December 03, 2004, 09:07:46 PM »
No offense taken but I am sure it is a problem with Avast. When I switch off the mail scanner module my mail client can make the TLS connection perfectly.

I have the same problem as shatadal, actely I did also tray to turn off outbound vira scan. But that did not help. I have to turn off Internet mail scan.

Avast ends up with Connection timeout..

On server side "SSL_accept:error in SSLv2/v3 read client hello A" is the last log entrence before 'lockdown'

If I terminate Internet Mail scan while trying to send, next log msg is: warning: Read failed in network_biopair_interop with errno=104: num_read=-1, want_read=11

I hope this info can help you to fix the problems.
-tnx

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Secure Mail Server Issues
« Reply #27 on: December 04, 2004, 12:21:28 PM »
I've posted before in this same thread...
I think avast cannot handle SSL connections  :'(
There isn't a support for secure connections.
The best things in life are free.

Thom

  • Guest
Re:Secure Mail Server Issues
« Reply #28 on: December 04, 2004, 01:04:26 PM »
Judging by the traffic regarding SSL and newer Avast versions (at least the free, home version), I'm not the only one having problems accessing my mail.  (XP home, SP2, Eudora, Avast 4.5 Home, comcast.net connection)

However, I think I may have found a solution at http://micro.uoregon.edu/security/email/eudora.html.  My inboud and outbound mail is working with comcast.net (finally!).

But, with all the conversation about disabling Avast's email protection, I don't know now if after applying the seemingly simple changes above I'm still protected?

Am I?

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re:Secure Mail Server Issues
« Reply #29 on: December 04, 2004, 01:18:32 PM »
Thom
Just check your e-mail headers that will tell you.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet