This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference

Andre Soares over 6 years ago

Hello everyone, after updating to firmware SFOS 17.5.7 MR-7 I have received many alerts from network attacks:

'SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference"

can anybody help me?

thank you all

This thread was automatically locked due to age.

0 Shenath Silva over 6 years ago

Hi, I am facing the same issue since 26th July. I contacted Sophos support and got a pathetic reply. All we need is an explanation why this is happening or an acknowledgement that Sophos is looking in to this.

Below is the reply I got to my inquiry from Sophos. I have removed my internal IP address and the name of the technical agent.

Hello Shenath,

This is regarding the service request number 9037848.

According to the logs, the attack is been detected and the source IP is ***.***.***.***.

To drop the traffic for that signature under IPS settings.

If you need immediate assistance on this case, you can contact Sophos Technical Support via phone.

Telephone contact numbers can be found here: https://doc.sophos.com/support/help/en-us/contact/index.html

Please contact us for any further assistance.

Regards,

****** ************
Sophos Technical Support
www.sophos.com/.../contact-support.aspx

Get Product Notifications via SMS - Sophos Mobile Notification Service: https://sms.sophos.com
Support Knowledge Base: community.sophos.com/kb
Follow us on Twitter @SophosSupport
Sophos Community (discussion forums): https://community.sophos.com

SOPHOS - CyberSecurity made simple
0 Patryk Dobrowolski over 6 years ago

Hi,
description is here -> http://services.netscreen.com/documentation/signatures/SMTP%3ADOS%3ADOVECOT-NULL.html

I've got same messages when my fileserver sends me an email, and email was configured with no authentication,
when i filled it up, there was no error messages at sophos side

Cheers!
- 0 LuCar Toni over 6 years ago in reply to Patryk Dobrowolski
  
  Seems like a false positive.
  
  Can you give us the IPS ID?
  
  __________________________________________________________________________________________________________________
  - 0 Emmanuel Rebillard over 6 years ago in reply to LuCar Toni
    
    Hi,
    
    i've got the same issue.
    
    The IPS ID is : 1190508052
    
    It blocked access to the domain name of my mail server.
    I solved the problem by allowing the domain name in Web, Exception, add, URL : ^([A-Za-z0-9.-]*\.)?mydomainname\.fr/
    
    I have access to my mail server again but the logs are still present...
  - 0 LuCar Toni over 6 years ago in reply to Emmanuel Rebillard
    
    Would suggest two steps.
    
    First report this issue to sophos support to get the false positive removed from IPS pattern.
    
    Second, exclude this from your pattern: https://community.sophos.com/kb/en-us/132879
    
    __________________________________________________________________________________________________________________