This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

quarantined email release fails

Releasing has recently gone wrong on my macos Sierra machine.

Tried it with Safari, Firefox and Chrome but all fail:

Safari:
Safari Can't Open the Page "https://<fqdn>:3840/release.plc?proto=smtp&mp;cluster_id=0&amp;message_id=1c2X06-0006pM-MV&amp;size=3469&amp;whitelist;0" because Safari can't establish a secure connection to the server "<fqdn>".

Firefox:
Secure Connection Failed
An error occurred during a connection to vgk.rcan.nl:3840. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

 

Chrome:
This site can’t provide a secure connection
<fqdn> sent an invalid response
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

 

Update:

Now, a day later I found out that Safari is redirecting the http://<fqdn>:3840 to a https request. Odd. anyone experiencing similar issue?

 

Adrie



This thread was automatically locked due to age.
Parents
  • Hi Adrie,

    No issue reported yet. Check in the smtp.log when you release the quarantined mail, do you see any errors? 

    "Releasing has recently gone wrong on my macos Sierra machine." Did you mean that the emails are releasing perfectly through a Windows system?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • I wouldn't know, I do not have access to a windows PC. 

    What I know is that, on the same macos machine, Firefox and Chrome are working.

    Cheers. Adrie

  • En het werkte?

    That points to a problem with DNS  configuration.   How does your setup differ from DNS Best Practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    Well yes, that's what I meant by when I use the ip-address the release works fine. However I am quite sure this is not a dns issue while the http(s) request always reaches the proper server instantly, there is no dns request noticable (like eg. when root-servers are queried, because of no or bad forwarders are used)

    The issue here has to do with misuse of https for a http request which I am not able to pin-point (aaargh)

     

    Thanks anyway for helping.


    Regards. Adrie 

  • Hello, 

    Has a fix been found? We're having the same issue. Whenever our Chrome users click on the Release link on the Quarantine report, it will redirect the request from http to https, which results in the page not loading and the ERR_SSL_PROTOCOL_ERROR. 

    Is there a way to make the Release link use https instead of http? 

    Thanks!

  • Did you try a Google on stop chrome from redirecting to https?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I haven't tried it yet. The thing is this is happening to all of our users who use Chrome on their personal PCs. They are so many I can't manually apply that Chrome fix to every one of them. 

     

    I was looking for a fix on the UTM side of things, so that way the problem will be fixed for everyone. 

  • This suggestion is an experiment, and I give it a 10% chance of success.  In Webserver Protection, define a Real Server on "Internal (Address)" as HTTP (not HTTPS) using the port you've configured for the Quarantine Report.  Next, define Virtual Servers on "Internal (Address)" and "External (Address)" that use HTTPS on the same port.  Please report your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your suggestion! But, unfortunately, I don't have a WebServer Protection license so I can't access that feature. I only have a Network Protection and Email Protection license on my UTM.

  • Your reseller can get you a 30-day trial license for Full Guard so that you can test this.  Full Guard costs less than the combination of any three of the five subscriptions included.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We have the same problem as described in the 1st post

    attempting to release a quarantined mail item from the digest fails with

    Safari can’t open the page “https://<fqdn>:3840/release.plc?proto=smtp&amp;cluster_id=0&amp;message_id=1ezWqw-0004mt-9G&amp;size=9707&amp;whitelist=0” because Safari can’t establish a secure connection to the server “<fqdn>”.

    this is true of both Safari and Firefox on Mac 10.12.6

    the link in the digest is

    http://<fqdn>:3840/release.plc?proto=smtp&cluster_id=0&message_id=1ezWqw-0004mt-9G&size=9707&whitelist=0

    NB http

    our device is UTM 9.508-10

    Gary

  • I think it is a DNS michmash rather than browser

Reply Children
  • The browser reports an SSL error

  • from your PC can you ping utm.hiddendomain.com please? What is the result?

  • Yes we can ping the fqdn from both internal and external utm interfaces, both return the same, correct IP. There is no problem with the DNS.

    On clicking the release link utm http daemon log has this

    2018:03:27-12:19:36 utm httpd: 192.168.2.157 - - [27/Mar/2018:12:19:36 +0100] "\x16\x03\x01" 404 -
    2018:03:27-12:19:36 utm httpd: 192.168.2.157 - - [27/Mar/2018:12:19:36 +0100] "\x16\x03\x01" 404 -
     
     
  • Probably I know the answer.

    Now:
    Define a host

    Name:  utm
    Type:   Host 
    Ip4 Address: 192.168.2.1 (your internal interface IP) 
    DHCP: No DHCP Server
    DNS Settings: utm.hidden-domain.com (your FQDN that is equal in Quarantine Configuration Hostname) 

    Flush Dns in PC, Ping it and release the email

  • I said from your PC, not UTM

  • testing the fqdn with openssl

    prosserg@ITRoom-Mint ~ $ openssl s_client -connect utm.<fqdn>:3840
    CONNECTED(00000003)
    140409629832864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 295 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

    The utm has no virtual server configured for SSL on port 3840, yet the utm is causing the browser (I'm now using Firefox on Linux) to switch from http to https

    BUT as previously noted, the same release link works fine on an iPhone (Safari)

    Gary

  • Of course that is what I was doing and reporting, from a PC inside the network and from a PC outside the network. I was confirming that DNS is correct.

  • Thanks for the tip, but...

    Please explain what you mean by "Probably I know the answer." What IS the problem and why is this an answer ?

    Gary

  • Test the Host configuration as I said before.
    You are entering in loopback. And you didnt mentioned your IPHONE Connection 3G or wifi

    If You are from outside you can release the email from your external IP, from inside from your internal
    Hope you are clear on tha

  • Oldeda

    iPhone works fine on wifi and on 3G

    utm httpd: 192.168.15.138 - - [27/Mar/2018:13:24:26 +0100] "GET /release.plc? <----internal device

    utm httpd: 85.255.237.84 - - [27/Mar/2018:13:25:19 +0100] "GET /release.plc? <----external device

    You say 'you are entering in loopback' - I appreciate you are trying to help, but that phrase doesn't make sense to me. 

    You say test this configuration

    Name:  utm
    Type:   Host 
    Ip4 Address: 192.168.2.1 (your internal interface IP) 
    DHCP: No DHCP Server
    DNS Settings: utm.hidden-domain.com (your FQDN that is equal in Quarantine Configuration Hostname)

    so what definition do you propose for my other internal networks (5 in total) ?

    G