Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG86 (SFOS 17.5.9) email system notifications issue

Hi all,

Frustratingly, I've only been able to get my email notifications to work with my email hosting service on port 25, despite a host of other devices on my network successfully using SSL through port 587 (my preferred approach). This isn't the real thrust of my problem, as I'm happy to wait for SFOS 18 to go general release and see if that resolves it.

Still, as it was the catalyst to this problem of no emails getting out in any configuration thereafter, it seems that maybe my email host is providing a level of SSL protection that the XG has not yet caught up to, as noted from the smtpd_main.log file:

12143 == test@test.recipient.com R=router_for_notifications T=notification_smtp defer (-37) H=mail.smpt.server [xxx.xxx.xxx.xxx]:587: TLS session: (SSL_connect): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So that's the preamble that led up to my next discovery. The real issue here is that I'm seeing a repeated issue with the XG trying to connect to an internal database that doesn't seem to exist and in order to be able to successfully send emails on port 25, I had to manually delete all the queued prior test message attempts from the "/sdisk/spool/output/input" (not a typo) folder first. Once I cleared out the queued attempts and then retried my unsecured port 25 configuration, the mail did go through but this lot of warnings about the internal database came up every time I tested (again, irrespective of successfully or not):

2019-12-29 03:43:44.683 [7899] SMTP connection from [127.0.0.1]:34344 I=[127.0.0.1]:24 (TCP/IP connection count = 1)
2019-12-29 03:43:44.686 [24198] [127.0.0.1] Connection accepted for notification
2019-12-29 03:43:44.690 [24198] [127.0.0.1] F=<redacted@redacted.address> R=<test@test.recipient.com> Accepted: SF notification
2019-12-29 03:43:44.742 [24198] 1ilFBo-0006II-MG <= redacted@redacted.address H=localhost (Sophos) [127.0.0.1]:34344 I=[127.0.0.1]:24 P=esmtp S=955 M8S=0 RT=0.041s T="Test Mail" from <redacted@redacted.address> for test@test.recipient.com
2019-12-29 03:43:44.743 [24198] SMTP connection from localhost (Sophos) [127.0.0.1]:34344 I=[127.0.0.1]:24 closed by QUIT
MSG Dec 29 03:43:44 [ T_SMTPD-M]: new mail queued, add to inqueue '1ilFBo-0006II-MG-D'
MSG Dec 29 03:43:45 [ T_SMTPD-W]: Mail assigned to 'MS-7894' for scanning '1ilFBo-0006II-MG-D'
MSG Dec 29 03:43:45 [ MS-7894]: scan request 1ilFBo-0006II-MG-D
MSG Dec 29 03:43:45 [ MS-7894]: S='redacted@redacted.address' R='test@test.recipient.com' Subject='Test Mail' Size='955' Status='Mail has been queued for delivery.' src_ip='127.0.0.1' src_port=34344
ERR Dec 29 03:43:45 [ MS-7894]: couldn't connect to db reason(could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5433?
)

What is going on here? What is this database that it's failing at connecting and how can I fix it? I have found nothing after searching for about an hour. Thanks in advance!



This thread was automatically locked due to age.
Parents
  • Hi,

    what mode is your XG mail running, MTA or transparent?

    Are you using the XG as the mail server or external mail server. A number of forum members gave up on using the XG as a mail server because we could get it to work.

    Do you have outgoing mail scanning rule in place for SMTP/s?

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian,

    That's the thing. I don't believe the XG86 has that kind of setting, as I cannot find it in the Protection -> Email menu as has been specified in other posts. Also, I believe I read in one post that it's a feature that only seems to exist in the XG105 onwards, so I don't believe it's a feature in the XG86. If it's tucked away somewhere that I'm too blind to see, I'm prepared to be educated!

    I have the XG configured to use an external mail server of my choosing, not internal, as specified in my original post.

    I don't have any business rules in place in my Firewall config to enforce SMTP scanning. The fact that my other devices (laptop, desktop, NAS, microserver running services which use msmtp) are able to successfully send emails on port 587 with SSL connection security tells me that the XG's notification system is what's broken here, not how it handles SMTP traffic in and of itself. Of course, I stand to be corrected on that too.

  • Hi,

    the MTA thing is in EMAIL -> General settings and is usually on by default at installation time.

    The email setting is in Administration - Notification settings where you choose built-in or external mail server. I have 587 set for my ISP with StartTLS, but the ISP doesn't appear to use TLS with 587.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I honestly don't see it there.

    I have since tried port 465 again, in an act of bravery, and that's working for me but only if I leave my connection security off. I still cannot get through on port 587 and I definitely cannot use SSL/TLS on either port. That narrows the issue down to SSL, seemingly.

  • Hi,

    I see you don't have a CA selected in your mail notification configuration.

    A bit strange but going on problems I have had in the past with setup I am not surprised.

    You could could try V18 EAP 3 to see if that makes any difference?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I can't select a CA when I have the Connection Security set to None. When I do set it to SSL/TLS, I select the default ApplianceCertificate but that still raises the SSL compatibility error at the top of my first post.

    However, with a bit more experimentation, it now looks like port 587 is working for me (I added my local IP address to the SPF records, strangely).

    I'll accept that for now and wait for SFOS 18 to go to general release, since I'm heading overseas soon and need my networking to remain reliable in my absence.

    So the last thing to attack is my primary concern that I asked about - what's with that database error in the bulk of my first post? How can I prevent that from becoming a potential roadblock in future, in case if something goes wrong again with signing into the mail server and a long queue of messages piles up in the output folder? That's what killed my email alerts completely, even after reverting my email settings back to what worked before.

  • Hi,

    sorry, I can't help with that issue, it is beyond my experience.

    If you restart the XG does that same error occur?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • Seems like your Default Certificate has some issues.

    Default Certificate uses your Appliance information, but can be edited, if needed. 

    SSL Certificate has some pre installed informationen (Like Support@sophos.com). 

    You can edit them in Certificate tab. Try to edit Default CA and remove invalid characters. 

    __________________________________________________________________________________________________________________

  • The ApplianceCertificate can't be edited but I'll create a new self-signed one and see how that fares.

    Hopefully the burning question now about the database errors will be resolved with SFOS 18 so that I don't get hit with roadblocks in future.

  • Hi  

    You have deleted a folder that is required for the Exim to load.  That is why you are getting database errors.  I suggest you factory reset to bring it back to normal.

    Also you mentioned XG86....this unit does not have MTA mode at all.

    You can try run below command on the XG to your sending mail server:

    openssl s_client -connect mail_server_hostname_or_ip_address:25 -starttls smtp -tls1_2

    Please then DM me the output.

    However we may be going down a rabbit hole as you have removed critical folder.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • KingChris said:
    You have deleted a folder that is required for the Exim to load.  That is why you are getting database errors.  I suggest you factory reset to bring it back to normal.

    Actually, I did not delete any folders. What I did delete, however, were the piles of test messages that built up when it was still reporting that db error, so I ended up deleting just those messages in the input folder I had mentioned, not the folder itself. Considering it is working, albeit without any level of security enforced in the config, I'm not going to put it through a factory reset.

    Also you mentioned XG86....this unit does not have MTA mode at all.

    That's what I thought, given what I uncovered in a search where it mentioned the feature starts with XG105.

    You can try run below command on the XG to your sending mail server:

    openssl s_client -connect mail_server_hostname_or_ip_address:25 -starttls smtp -tls1_2

    Please then DM me the output.

    I compared its output to what I was seeing in the smtp_main.log file when I don't have any Connection Security enforced. What I found was that with the options/switches you specified, it happily initiates a TLS1.2 connection.

    SSL handshake has read 3611 bytes and written 451 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384

    It would seem that the smtp client is actually accepting a TLS1.2 connection so long as I don't attempt to enforce it with SSL/TLS. I can only enforce it with STARTTLS, which is something I didn't try before and your command line instruction prompted me to, so many thanks. You've solved that part of my problem and I feel like an idiot for not trying that in the first place!

    [15300] sfYxTC-cfOrc4-tn => [RECIPIENT EMAIL] F=<[REDACTED SENDING EMAIL]> P=<[REDACTED SENDING EMAIL]> R=router_for_notifications T=notification_smtp S=985 H=[REDACTED MAIL HOST] [REDACTED MAIL HOST IP]:587 I=[REDACTED SENDING IP]:40137 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/OU=Domain Control Validated/CN=*[REDACTED DOMAIN]" A=server_plain C="250 OK id=1im5lT-0008G1-7m" QT=17s DT=3.229s

    However we may be going down a rabbit hole as you have removed critical folder.

    Not to be rude but I'm going to insist that if it is indeed a critical folder that has gone missing, it never happened by my hand. I can now confidently say that I am getting the XG86 to send my emails securely but the database error remains. However, by the same token, I am seeing that the messages are being moved to the /sdisk/spool/output/msglog.OLD/ folder upon a successful send. So to my mind, the smtp client is working as intended, despite the database error.

    It's not ideal and thankfully it's not a client's router, so I'm happy to leave it where it is since the critical parts of it are working. If the SFOS 18 upgrade fixes the database issue, then I'll consider it a bonus.