SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference

Hello everyone, after updating to firmware SFOS 17.5.7 MR-7 I have received many alerts from network attacks:

 

'SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference"

can anybody help me?

thank you all

  • Hi, I am facing the same issue since 26th July. I contacted Sophos support and got a pathetic reply. All we need is an explanation why this is happening or an acknowledgement that Sophos is looking in to this.

    Below is the reply I got to my inquiry from Sophos. I have removed my internal IP address and the name of the technical agent.

     

    Hello Shenath,

    This is regarding the service request number 9037848.

    According to the logs, the attack is been detected and the source IP is ***.***.***.***.

    To drop the traffic for that signature under IPS settings.

    If you need immediate assistance on this case, you can contact Sophos Technical Support via phone.

    Telephone contact numbers can be found here:www.sophos.com/.../contact-support.aspx

    IN Support Lines: Toll Free: 000 800 100 8381 International: (+65) 6776 7467

    UK Support Lines: From UK: 0844 767 4670 (0844 SOPHOS-0) International: +44 (0)1235 465818

    US Support Lines: Toll Free: 1-888-SOPHOS-9 (1-888-767-4679) International: 1-781-494-5800

    AU Support Lines: Australia: 1300 041 895 New Zealand: 0800 884 012 International: +61 2 9409 9111

    Please contact us for any further assistance.


    Regards, 

    ****** ************ 
    Sophos Technical Support
    www.sophos.com/.../contact-support.aspx 

    Get Product Notifications via SMS - Sophos Mobile Notification Service: https://sms.sophos.com
    Support Knowledge Base: community.sophos.com/kb
    Follow us on Twitter @SophosSupport
    Sophos Community (discussion forums): https://community.sophos.com

    SOPHOS - CyberSecurity made simple
     

  • Hi,
    description is here -> http://services.netscreen.com/documentation/signatures/SMTP%3ADOS%3ADOVECOT-NULL.html

    I've got same messages when my fileserver sends me an email, and email was configured with no authentication,
    when i filled it up, there was no error messages at sophos side

     

     

    Cheers!

  • In reply to Patryk Dobrowolski:

    Seems like a false positive.

    Can you give us the IPS ID? 

  • In reply to LuCar Toni:

    Hi,

    i've got the same issue.

    The IPS ID is : 1190508052

    It blocked access to the domain name of my mail server.
    I solved the problem by allowing the domain name in Web, Exception, add, URL : ^([A-Za-z0-9.-]*\.)?mydomainname\.fr/

    I have access to my mail server again but the logs are still present...

  • In reply to Emmanuel Rebillard:

    Would suggest two steps.

    First report this issue to sophos support to get the false positive removed from IPS pattern.

    Second, exclude this from your pattern: https://community.sophos.com/kb/en-us/132879