Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 14927 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.0.4 M4-4 Mac Mail IMAP unable to connect (DPI issue)

RaymondPalms

Hi There,

I'm not sure when it started but on a Mac if I'm using the Mail app or the Outlook app and try to add a Yahoo IMAP account the XG Firewall is not allowing it to connect using SSL 993 and I can't see why, it is the DPI engine that is responsible for this as if I go to "Rules and Policies" > "SSL/TLS inspection rules" > "SSL/TLS inspection settings" > "Advanced settings"  and turn off "SSL/TLS engine" everything starts working fine, I cannot see any logs in the Log Viewer to suggest dropped packet data for any reason. I'm not using any mail scanning settings or anything complicated/specific, can anyone advise ?

  • Is there any way I can view the DPI engine log verbosely to see if that shows anything ?
  • I've tried a tcpdump for port 993 on the firewall but that wasn't too helpful
  • The Mac apps don't place nicely with HTTPS/SSL proxy apps so that doesn't help much.

Thanks



This thread was automatically locked due to age.
  • 0 in reply to RaymondPalms

    Hi,

    I created anew yahoo account because I can't remember the password or setup on my old one.

    Testing, I saw the following ports 143, 443, 585 and 993 all trying to talk to the  mail server imap.mail.yahoo.com. All validation attempts failed with or without using the HTTP proxy. No errors logged in the XG.

    Result, total failure.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to rfcat_vk

    Try MR5. community.sophos.com/.../xg-firewall-v18-mr5-is-now-available

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    Thanks for taking the time to test that out rfcat_vk, appreciate it.

  • 0 in reply to LuCar Toni

    Working as expected now with MR5, thanks LuCar Toni.Thumbsup

    • No exclusions needed.
    • No firewall rules needed.
    • SSL/TLS inspection on or off, works fine.
  • 0 in reply to RaymondPalms

    interesting, my mac mail will not connect with or without XG involved, verification fails for Yahoo mail.

    According to Sophos there are NO fixes for DPI in MR-5, testing was not completed in time to be added.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    EDIT: Sorry just saw you said with or without XG involved, different issue entirely ?

    I think I read in some of your other posts that you have mail scanning options enabled to make Mac's Mail app work ?, do you want to scan mail ports ?, could you try turning off any mail scanning enabled ?

    So with my setup now on 18.0.5 MR-5:

    • Default network rule does not have any mail scanning enabled (Scan IMAPS and Scan SMTPS not ticked), firewall is NOT in MTA mode.
    • SSL/TLS inspection on
    • Web > URL groups > "Local TLS exclusion list" is empty.
    • No firewall rule for Yahoo or any mail port handling.

    Default network rule Security & Other settings:

    Mac Mail Connection Doctor app:

  • 0 in reply to RaymondPalms

    Hi,

    I scan mail in an attempt to catch virus and spam. Scanning works for all mail accounts on mac mini, mac air, iPad and iPhones.

    Yahoo smtp worked with scanning when the CA was told to trust the site, though the Yahoo CA is invalid.

    I am at  loss to understand why Yahoo Spam fails to verify? I will ask in other forums though the answer is not of great interest because I do not use Yahoo mail on a regular basis.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Ah no worries, don't worry about finding a fix as my problem has now been resolved, can leave it there.

Unfiltered HTML