I'm not sure when it started but on a Mac if I'm using the Mail app or the Outlook app and try to add a Yahoo IMAP account the XG Firewall is not allowing it to connect using SSL 993 and I can't see why, it is the DPI engine that is responsible for this as if I go to "Rules and Policies" > "SSL/TLS inspection rules" > "SSL/TLS inspection settings" > "Advanced settings" and turn off "SSL/TLS engine" everything starts working fine, I cannot see any logs in the Log Viewer to suggest dropped packet data for any reason. I'm not using any mail scanning settings or anything complicated/specific, can anyone advise ?
the DPI engine does not work with mail ports, 465, 993, 587, 25. You need to use the mail proxy. MAC mail does work with CAs and mail proxy scanning.
What is the use of using the DPI engine if you…
Eventually the SSL/TLS inspection log showed "Dropped due to TLS engine error: FLOW_TIMEOUT" errors, I suspect this was after enabling "SSL/TLS inspection" which enabled logging ?, searching the forums for that showed a history of problems related to this and the DPI engine, after following some fixes recommended from some posts I've created a temporary solution. Also looking at Mail's Connection Doctor it shows a connection to imap.mail.yahoo.com over port 143 which is non-secure IMAP, turning off SSL/TLS inspection (NOT the SSL/TLS engine) and creating the Firewall rule below allows it to connect over 993, I did add the Sophos SSL and CA certs into the Keychain but it made no difference, IMAP connections to iCloud and GMAIL seem to work fine, just Yahoo that doesn't.
There is a setting which allows you to exclude domains from SSL/TLS inspection however it seems the Firewall ignores this ?, The "Exclusions by website or category" has the "Local TLS exclusion list" URL list in it, so I added "yahoo.com" to the "Local TLS exclusion list" URL list but this made no difference.
What is the use of using the DPI engine if you have to add the sites to be excluded from scanning?
Try to create a DPI rule with your IMAP Port 993 and do not decrypt.
It could be still a bug, which can be fixed with MR5, as there was a bug about false categorization, if i remember correctly.
rfcat_vk, yeah I'm a bit lost as to what it could be, I did try changing *.yahoo.com to *.mail.yahoo.com but no difference.
@LuCar Toni, Thanks for the suggestion, I did try this before as that is exactly what I would expect to work but it did not, see below for the rule I tried to create and select "Don't decrypt".
If I have
Still does not work, whenever I turn on SSL/TLS inspection it just breaks it.
Is there any news about when MR5 will be released ?
I created anew yahoo account because I can't remember the password or setup on my old one.
Testing, I saw the following ports 143, 443, 585 and 993 all trying to talk to the mail server imap.mail.yahoo.com. All validation attempts failed with or without using the HTTP proxy. No errors logged in the XG.
Result, total failure.
Try MR5. community.sophos.com/.../xg-firewall-v18-mr5-is-now-available
Thanks for taking the time to test that out rfcat_vk, appreciate it.
Working as expected now with MR5, thanks LuCar Toni.
interesting, my mac mail will not connect with or without XG involved, verification fails for Yahoo mail.
According to Sophos there are NO fixes for DPI in MR-5, testing was not completed in time to be added.
EDIT: Sorry just saw you said with or without XG involved, different issue entirely ?
I think I read in some of your other posts that you have mail scanning options enabled to make Mac's Mail app work ?, do you want to scan mail ports ?, could you try turning off any mail scanning enabled ?
So with my setup now on 18.0.5 MR-5:
Default network rule Security & Other settings:
Mac Mail Connection Doctor app:
I scan mail in an attempt to catch virus and spam. Scanning works for all mail accounts on mac mini, mac air, iPad and iPhones.
Yahoo smtp worked with scanning when the CA was told to trust the site, though the Yahoo CA is invalid.
I am at loss to understand why Yahoo Spam fails to verify? I will ask in other forums though the answer is not of great interest because I do not use Yahoo mail on a regular basis.
Ah no worries, don't worry about finding a fix as my problem has now been resolved, can leave it there.