XG 18.0.4 M4-4 Mac Mail IMAP unable to connect (DPI issue)

Hi There,

I'm not sure when it started but on a Mac if I'm using the Mail app or the Outlook app and try to add a Yahoo IMAP account the XG Firewall is not allowing it to connect using SSL 993 and I can't see why, it is the DPI engine that is responsible for this as if I go to "Rules and Policies" > "SSL/TLS inspection rules" > "SSL/TLS inspection settings" > "Advanced settings"  and turn off "SSL/TLS engine" everything starts working fine, I cannot see any logs in the Log Viewer to suggest dropped packet data for any reason. I'm not using any mail scanning settings or anything complicated/specific, can anyone advise ?

  • Is there any way I can view the DPI engine log verbosely to see if that shows anything ?
  • I've tried a tcpdump for port 993 on the firewall but that wasn't too helpful
  • The Mac apps don't place nicely with HTTPS/SSL proxy apps so that doesn't help much.

Thanks



Edited TAGs
[edited by: emmosophos at 9:49 PM (GMT -7) on 2 Apr 2021]
Parents
  • Eventually the SSL/TLS inspection log showed "Dropped due to TLS engine error: FLOW_TIMEOUT[5]" errors, I suspect this was after enabling "SSL/TLS inspection" which enabled logging ?, searching the forums for that showed a history of problems related to this and the DPI engine, after following some fixes recommended from some posts I've created a temporary solution. Also looking at Mail's Connection Doctor it shows a connection to imap.mail.yahoo.com over port 143 which is non-secure IMAP, turning off SSL/TLS inspection (NOT the SSL/TLS engine) and creating the Firewall rule below allows it to connect over 993, I did add the Sophos SSL and CA certs into the Keychain but it made no difference, IMAP connections to iCloud and GMAIL seem to work fine, just Yahoo that doesn't.

    • Created FQDN host "*.yahoo.com"
    • Created new Firewall rule (see below for config)
    • SSL/TLS inspection has to remain turned off, turning it back on creates the same problem again.

    There is a setting which allows you to exclude domains from SSL/TLS inspection however it seems the Firewall ignores this ?, The "Exclusions by website or category" has the "Local TLS exclusion list" URL list in it, so I added "yahoo.com" to the "Local TLS exclusion list" URL list but this made no difference.

  • Hi,

    the DPI engine does not work with mail ports, 465, 993, 587, 25. You need to use the mail proxy. MAC mail does work with CAs and mail proxy scanning.

    What is the use of using the DPI engine if you have to add the sites to be excluded from scanning?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Thanks for the response rfcat_vk, interesting to know the DPI engine does not work with mail ports, is there documentation that supports or mentions this ?

    I've read your other posts about adding the CA into Keychain which I did try but did not work, I assume this is because I did not setup mail proxy, I assume by mail proxy you mean switching to MTA mode ?, it doesn't really answer why Mac Mail works with GMAIL/iCloud IMAP 993 connections and not Yahoo.

  • Hi,

    no, I meant via enabling the scanning within your firewall rule. I have one mac air running both  outlook and Mac mail with 3 accounts and 4 other devices all running  mac mail (3 of them are mobile devices all apple based). Mail fails on all devices when using DPI, but works when using scanning within the firewall rules. I have the XG CA installed on all devices.

    Possibly there are default exceptions in the SSL/TLS settings.

    As far as documentation on mail and the DPI, the issue was confirmed in a long running thread on DPI issues as not being fixed in the upcoming MR-x with the DPI fix-

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Reply
  • Hi,

    no, I meant via enabling the scanning within your firewall rule. I have one mac air running both  outlook and Mac mail with 3 accounts and 4 other devices all running  mac mail (3 of them are mobile devices all apple based). Mail fails on all devices when using DPI, but works when using scanning within the firewall rules. I have the XG CA installed on all devices.

    Possibly there are default exceptions in the SSL/TLS settings.

    As far as documentation on mail and the DPI, the issue was confirmed in a long running thread on DPI issues as not being fixed in the upcoming MR-x with the DPI fix-

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Children
  • So based on what you you said I made the following changes yesterday but was not successful in getting Yahoo to work, it is worth noting that it is specifically Yahoo IMAP 993 that is failing to connect (imap.mail.yahoo.com)

    • Installed "Sophos SSL CA" & the "Sophos_CA" onto Mac running Big Sur and trusted them
    • Removed the SSL/TLS exclusion I created for yahoo.com
    • In the Yahoo IMAP/SMTP firewall rule I created in picture above I enabled scanning via the "Scan IMAPS" and "Scan SMTPS" tick boxes at the bottom
    • Turned on SSL/TLS inspection
    • Exited Mac Mail, waited a few mins and launched it again

    I did try other settings like unticking "Use web proxy instead of DPI engine", ticking "Decrypt HTTPS during web proxy filtering", ticking "Scan HTTP and decrypted HTTPS" but was unsuccessful, if I disable the new firewall rule I've created and enable SSL/TLS inspection everything works except Yahoo IMAP, the GMAIL and iCloud IMAP 993 connections go through fine without any certs installed on devices or any exceptions or any firewall rule changes.

  • What do you mean you turned on SSL/TLS inspection?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • See below picture for SSL/TLS inspection enable/disable setting:

    If I keep it turned off and enable the firewall rule in the picture in my first post, Yahoo IMAP 993 using macOS's Mail app works, HOWEVER, if I turn that setting on, it causes problems again even with firewall rule enabled.

  • Sophos support advise you should only change that setting under their guidance.

    If *.yahoo.com fails with your firewall rule setup as per the top post with SSL/TLS enabled but not used in the rule then that would imply there is an issue with the Yahoo connection.

    You might need to change the yahoo.com to *.mail.yahoo,com

    Other than that I am running out of ideas.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Try to create a DPI rule with your IMAP Port 993 and do not decrypt. 

    It could be still a bug, which can be fixed with MR5, as there was a bug about false categorization, if i remember correctly. 

    __________________________________________________________________________________________________________________

  • , yeah I'm a bit lost as to what it could be, I did try changing *.yahoo.com to *.mail.yahoo.com but no difference.

    @LuCar Toni, Thanks for the suggestion, I did try this before as that is exactly what I would expect to work but it did not, see below for the rule I tried to create and select "Don't decrypt".

    If I have 

    • SSL/TLS inspection on
    • DPI exception rule created as in picture above (I've also tried adding yahoo.com & imap.mail.yahoo.com to the "Local TLS exclusion list" URL group which is already included in the DPI exception rule "Exclusions by website or category" and is set to "Don't decrypt"
    • Firewall rule created as in my original post picture

    Still does not work, whenever I turn on SSL/TLS inspection it just breaks it.

    Is there any news about when MR5 will be released ?

  • Hi,

    I created anew yahoo account because I can't remember the password or setup on my old one.

    Testing, I saw the following ports 143, 443, 585 and 993 all trying to talk to the  mail server imap.mail.yahoo.com. All validation attempts failed with or without using the HTTP proxy. No errors logged in the XG.

    Result, total failure.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • __________________________________________________________________________________________________________________

  • Thanks for taking the time to test that out rfcat_vk, appreciate it.

  • Working as expected now with MR5, thanks LuCar Toni.Thumbsup

    • No exclusions needed.
    • No firewall rules needed.
    • SSL/TLS inspection on or off, works fine.