Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default tls / ssl connections broken, had to bypass port 25

    edit... since the upgrade to v12 connections from gmail and hotmail servers started breaking.

    from the linux mail server logs...

    Code:
    pr 19 11:25:19 server9b transfer/smtpd[22672]: SSL_accept error from snt004-omc1s21.hotmail.com[65.55.90.32]: lost connection
    Apr 19 11:25:19 server9b transfer/smtpd[22672]: lost connection after STARTTLS from snt004-omc1s21.hotmail.com[65.55.90.32]
    Apr 19 11:25:19 server9b transfer/smtpd[22672]: disconnect from snt004-omc1s21.hotmail.com[65.55.90.32]
    Code:
    Apr 19 11:24:14 server9b transfer/smtpd[23164]: connect from mail-pa0-f43.google.com[209.85.220.43]
    Apr 19 11:24:14 server9b transfer/smtpd[23164]: SSL_accept error from mail-pa0-f43.google.com[209.85.220.43]: lost connection
    Apr 19 11:24:14 server9b transfer/smtpd[23164]: lost connection after STARTTLS from mail-pa0-f43.google.com[209.85.220.43]
    Apr 19 11:24:14 server9b transfer/smtpd[23164]: disconnect from mail-pa0-f43.google.com[209.85.220.43]
    Connections from other email servers are successful.

    After some finagling, I ended up at the Untangle gateway, I first unchecked Scan SMTP in Virus Blocker, no effect, I then disabled Virus Blocker, no effect, I then created a bypass rule for port 25 and the floodgates opened.

    Any ideas? I'm letting the emails flood in but I would like to have Untangle go back to scanning them at some point and need to continue troubleshooting this issue once the flood has stopped.
    Last edited by fasttech; 04-19-2016 at 02:02 PM.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Did you enable SSL scanning of SMTP in SSL Inspector?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    This is a v12 upgrade, it upgraded from 11 on Sat, on v11 I only had Inspector scanning a specific few win clients with a rule by ip, the email server is on a different subnet than those clients and was never set to scan.

    Currently, rule #1 under Inspector, it looks like a default rule since I don't remember creating that one, to inspect port 25 smtp is Not selected / enabled... under options for Inspector configuration, the box Is checked for smtps traffic processing.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    So it is not enabled.

    No idea, I would open a support ticket.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    36

    Default

    Try turning off the SMTPS Traffic Processing checkbox in SSL Inspector, and see if things work without the port 25 bypass rule.

  6. #6
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    With the bypass rule I had enabled Virus Blocker again.
    Now that I'm at that office I disabled the bypass rule and sent a test email from gmail, ssl_accept error.
    I disabled the checkbox for smtps scanning in Inspector and the next test email I sent was accepted.

    I guess that checkbox in config overrides the rules.

    I also went back through the mail server logs and this failure started immediately after the upgrade to v12.

    Should I still open a support ticket or can you guys dupe this there?
    Is this something you're going to address or just leave it at google and ms scan for viruses themselves so don't worry about it?
    If that is going to be your take on this then I'll just leave this here.

    Code:
    Apr 17 05:30:10 server9b transfer/smtpd[28608]: connect from ms148-139.bronto.com[69.166.148.139]
    Apr 17 05:30:10 server9b transfer/smtpd[28608]: SSL_accept error from ms148-139.bronto.com[69.166.148.139]: lost connection
    Apr 17 05:30:10 server9b transfer/smtpd[28608]: lost connection after STARTTLS from ms148-139.bronto.com[69.166.148.139]
    Apr 17 05:30:10 server9b transfer/smtpd[28608]: disconnect from ms148-139.bronto.com[69.166.148.139]

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Well, that rule has no effect because it isn't enabled.
    If your rule below it says to inspect all traffic, that now includes SMTP.

    I would just leave it without it scanning SMTP SSL (just like 11.2), and stick with your 11.2 config (maybe blocking STARTTLS?)

    Unless you are ready to deal with certs in the SMTP world, which as we are discovering is still a big headache, I would not go down that road unless you have reason to.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    Quote Originally Posted by dmorris View Post
    Well, that rule has no effect because it isn't enabled.
    If your rule below it says to inspect all traffic, that now includes SMTP.
    I only have 2 rules for inspect, they're for 6 win machines on a different subnet than the subnet the email server is on.
    The other enabled rules are ignore.
    The last enabled rule is ignore other traffic.

    I do have an ignore rule for the mail server ip above inspect rules for the win clients, that was so the local clients wouldn't have to deal with the self signed certs for services...

    So is it safe to assume the config option overrides the rules?
    No... because the other config option for https traffic isn't overriding the rules, is this a bug or is it my ignore rule for the server ip? Hmmm.
    I would just leave it without it scanning SMTP SSL (just like 11.2), and stick with your 11.2 config (maybe blocking STARTTLS?)
    Understood.
    Unless you are ready to deal with certs in the SMTP world, which as we are discovering is still a big headache, I would not go down that road unless you have reason to.

    Google is outing servers not accepting tls connections, they're now 'alerting' users who are receiving emails from servers not using tls, how long before blacklisting on spam lists starts? It's nice to have virus blocker there to scan web traffic but that's pretty much all it serves at this point.

    Also, counting outgoing emails in the daily report under virus blocker... it's like.... idk, not cool.

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by fasttech View Post
    So is it safe to assume the config option overrides the rules?
    No... because the other config option for https traffic isn't overriding the rules, is this a bug or is it my ignore rule for the server ip? Hmmm.
    Indeed. It shouldnt.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    Is rule 4 screwed up?

    Code:
    Apr 19 08:51:52 server9b transfer/smtpd[20538]: connect from mail-yw0-f173.google.com[209.85.161.173]
    Apr 19 08:51:52 server9b transfer/smtpd[20538]: SSL_accept error from mail-yw0-f173.google.com[209.85.161.173]: lost connection
    Apr 19 08:51:52 server9b transfer/smtpd[20538]: lost connection after STARTTLS from mail-yw0-f173.google.com[209.85.161.173]
    Apr 19 08:51:52 server9b transfer/smtpd[20538]: disconnect from mail-yw0-f173.google.com[209.85.161.173]
    tlssmtpignore.jpg

    rule4.jpg

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2