quarantined email release fails

Question

Releasing has recently gone wrong on my macos Sierra machine.

Tried it with Safari, Firefox and Chrome but all fail:

Safari:
Safari Can't Open the Page "https://<fqdn>:3840/release.plc?proto=smtp&mp;cluster_id=0&message_id=1c2X06-0006pM-MV&size=3469&whitelist;0" because Safari can't establish a secure connection to the server "<fqdn>".

Firefox:
Secure Connection Failed
An error occurred during a connection to vgk.rcan.nl:3840. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Chrome:
This site can’t provide a secure connection
<fqdn> sent an invalid response
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

Update:

Now, a day later I found out that Safari is redirecting the http://<fqdn>:3840 to a https request. Odd. anyone experiencing similar issue?

Adrie

This thread was automatically locked due to age.

Rudy Baker · Accepted Answer

The problem is caused by HSTS. 
 We have one website with HSTS enabled with "includeSubdomains", https://www.mycompany.com 
 Our quarantine release link is: http://qr.mycompany.com 
 When we visit www.mycompany.com, the following HSTS flags get set for the entire *.mycompany.com domain and subdomains: 
 -- 
 Found: static_sts_domain: static_upgrade_mode: UNKNOWN static_sts_include_subdomains: static_sts_observed: static_pkp_domain: static_pkp_include_subdomains: static_pkp_observed: static_spki_hashes: dynamic_sts_domain: mycompany.com dynamic_upgrade_mode: FORCE_HTTPS dynamic_sts_include_subdomains: true dynamic_sts_observed: 1529594677.251927 dynamic_sts_expiry: 1561130677.251925 dynamic_pkp_domain: dynamic_pkp_include_subdomains: dynamic_pkp_observed: dynamic_pkp_expiry: dynamic_spki_hashes: 
 -- 
 This causes the UTM QR link to unusable and you receive the "ERR_SSL_PROTOCOL_ERROR" in your browser. 
 To get around it in Chrome (Probably the same method in FF and other browsers), go to "chrome://net-internals/#hsts" 
 In the query box, enter the full hostname of your quarantine release subdomain ( in my case qr.mycompany.com ) and hit query. You will see the FORCE_HTTPS lines underneath. 
 Then do the same thing for the full domain (mycompany.com), you will more than likely come out with the same results. 
 At the bottom of the same page, under "Delete domain security policies", put both your domain and subdomain (qr.mycompany.com and mycompany.com) and hit DELETE. 
 You will now be able to use the release link with no issues! 
 The moment you visit your website that has that HSTS config again, it will break your email releases until you follow those above steps again to delete the HSTS policies for your domains. 
 
 A permanent solution would be to allow the quarantine release to run on HTTPS. Another option is to change the URL from a FQDN to an IP address and if those aren't a great option, you could move the release URL to another domain (mycompany.net instead of mycompany.com) so that the HSTS settings have no impact. 
 
 Hope it helps.

Ol Deda · Answer

Probably I know the answer. Now: Define a host 
 Name: utm Type : Host Ip4 Address: 192.168.2.1 (your internal interface IP) DHCP: No DHCP Server DNS Settings: utm.hidden-domain.com (your FQDN that is equal in Quarantine Configuration Hostname) Flush Dns in PC, Ping it and release the email

automaton · Answer

The issue is quite simple, HSTS is set on the user portal, because HSTS is set, "modern" browsers that honour the HSTS flag, change all access to HTTPS (the port is irrelevant) 
 The only fix is to have the quarantine release run on HTTPS 
 en.wikipedia.org/.../HTTP_Strict_Transport_Security

Distra Hollmeister · Answer

test

HuberChristian · Answer

I had this issue as well. 9.510 is out now. See https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-510-released 
 According to release notes, this bug is marked as fixed.

NUTM-9836 [Email] HSTS usage breaks Quarantine Report release link