Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 3621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POP3 protcetion does not work anymore since 9.210-20

sophos234
Hi,

before I had 9.209-8 firmware and everything was cool, today I updated to 9.210-20 and my POP3 proxy doesn't work anymore.

This is from the live log
2014:12:04-22:21:57 ***utm pop3proxy[26469]: Fatal: Failed to accept SSL client
2014:12:04-22:21:57 ***utm pop3proxy[26469]: SSL Error: 0x1408a0c1d (error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)
2014:12:04-22:21:57 ***utm pop3proxy[26470]: Fatal: Failed to accept SSL client
2014:12:04-22:21:57 ***utm pop3proxy[26470]: SSL Error: 0x1408a0c1d (error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)
2014:12:04-22:23:30 ***utm pop3proxy[26535]: Accepted client connection from 192.168.2.20 for 212.227.15.162 (pop.1und1.de Servers server_id 2)
2014:12:04-22:23:30 ***utm pop3proxy[26534]: Accepted client connection from 192.168.2.20 for 212.227.17.169 (pop.gmx.net Servers server_id 1)
2014:12:04-22:23:30 ***utm pop3proxy[26534]: Fatal: Failed to accept SSL client
2014:12:04-22:23:30 ***utm pop3proxy[26535]: Fatal: Failed to accept SSL client
2014:12:04-22:23:30 ***utm pop3proxy[26534]: SSL Error: 0x1408a0c1d (error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)
2014:12:04-22:23:30 ***utm pop3proxy[26535]: SSL Error: 0x1408a0c1d (error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher) 

Any idea? It looks like there is a cipher missing now...

I am working with thunderbird

Cheers


This thread was automatically locked due to age.
  • 0
    What happens if you disable POP3 and then re-enable it?

    What's the result of:

    # grep tls_ciphers /var/chroot-pop3/etc/*



    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi,

    switch on/off doesn't change anything

    here is the grep

    /var/chroot-pop3/etc/pop3proxy.conf:tls_ciphers_client=DEFAULT
    /var/chroot-pop3/etc/pop3proxy.conf:tls_ciphers_server=RC4:HIGH:!MD5:!aNULL:!EDH:!SSLv3
    /var/chroot-pop3/etc/pop3proxy.conf-default:tls_ciphers_client=DEFAULT
    /var/chroot-pop3/etc/pop3proxy.conf-default:tls_ciphers_server=RC4:HIGH:!MD5:!aNULL:!EDH:!SSLv3

    Cheers,
    Tee
  • 0
    FYI - I've got the same problem.

    Example log:
    2014:12:07-07:34:04 systemid pop3proxy[12779]: Accepted client connection from 192.168.1.105 for 64.233.169.109
    2014:12:07-07:34:04 systemid pop3proxy[12780]: Accepted client connection from 192.168.1.105 for 64.233.169.109
    2014:12:07-07:34:04 systemid pop3proxy[12779]: Client 192.168.1.105 has closed the connection
    2014:12:07-07:34:04 systemid pop3proxy[12780]: Client 192.168.1.105 has closed the connection
    2014:12:07-07:34:04 systemid pop3proxy[12783]: Accepted client connection from 192.168.1.105 for 64.233.169.109
    2014:12:07-07:34:04 systemid pop3proxy[12783]: Fatal: Failed to accept SSL client
    2014:12:07-07:34:04 systemid pop3proxy[12783]: SSL Error: 0x1408a0c1d (error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)

    Phil
  • 0
    Same Problem here,
    thanks in Advance

    2014:12:07-22:14:03 *** pop3proxy[7042]: SSL Error: 0x1408a0c1d (error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)
    2014:12:07-22:14:03 *** pop3proxy[7044]: Accepted client connection from 192.168.178.24 for 212.227.17.177 (pop3.web.de Servers server_id 1)
    2014:12:07-22:14:03 *** pop3proxy[7044]: Fatal: Failed to accept SSL client

    Greetings, Ruben
  • 0 in reply to deactivator
    Should have read further. Specific thread for SMTP trouble:
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29725

    Related problem: protecting incoming mail via SMTP proxy. Same log entry:
    2014:12:08-09:06:36 GwExt01-2 exim-in[6971]: 2014-12-08 09:06:36 SMTP connection from [129.143.2.76]:63695 (TCP/IP connection count = 1)
    2014:12:08-09:06:36 GwExt01-2 exim-in[7668]: 2014-12-08 09:06:36 TLS error on connection from csr201.belwue.de [129.143.2.76]:63695 (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
    2014:12:08-09:06:36 GwExt01-2 exim-in[7668]: 2014-12-08 09:06:36 TLS client disconnected cleanly (rejected our certificate?)
    2014:12:08-09:06:36 GwExt01-2 exim-in[7668]: 2014-12-08 09:06:36 SMTP connection from csr201.belwue.de [129.143.2.76]:63695 closed by EOF 



    No incomming SSL connection possible. Incomming mail only works if I set the mailserver of our provider to be excempt from SSL (in Advanced settings).

    I had (wrongly) set the selfsigned certificate for SMTP proxy usage. Did not hinder the mail transfer so far, so I guess there was no valid SSL handshake before. What gets me is the inability of the system to fall back on plain SMTP. Cannot judge whether the mailserver or Sophos UTM is to blame.

    Any ideas? Suggested grep on similar SMTP directory gets 0 results.
  • 0 in reply to DerBachmannRocker
    Hi,

    I have the same problem. The reason, I guess, is that the SSLv3 cipher_suit has been disabled. It's that "!SSLv3" snippet.

    The bad thing about it is, that you cannot use TLS1 or TLS1.1 anymore because, though both are save to use, they use the same cipher_suit as SSLv3.

    So far I don't know any fix for this, but reactivating the SSLv3 cipher_suit and making the pop3proxy vulnerable for poodle-bug again.

    I opened a thread for this issue too:
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49746
  • 0
    DBR, did you add the line #297 in exim.conf and :wq to write the file?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    when inserting everything correctly for the ciphers it works in my case... looking forward if this will be overwritten with the next version...
Unfiltered HTML