This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

quarantined email release fails

Releasing has recently gone wrong on my macos Sierra machine.

Tried it with Safari, Firefox and Chrome but all fail:

Safari:
Safari Can't Open the Page "https://<fqdn>:3840/release.plc?proto=smtp&mp;cluster_id=0&amp;message_id=1c2X06-0006pM-MV&amp;size=3469&amp;whitelist;0" because Safari can't establish a secure connection to the server "<fqdn>".

Firefox:
Secure Connection Failed
An error occurred during a connection to vgk.rcan.nl:3840. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

 

Chrome:
This site can’t provide a secure connection
<fqdn> sent an invalid response
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

 

Update:

Now, a day later I found out that Safari is redirecting the http://<fqdn>:3840 to a https request. Odd. anyone experiencing similar issue?

 

Adrie



This thread was automatically locked due to age.
Parents
  • Hi Adrie,

    No issue reported yet. Check in the smtp.log when you release the quarantined mail, do you see any errors? 

    "Releasing has recently gone wrong on my macos Sierra machine." Did you mean that the emails are releasing perfectly through a Windows system?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • I wouldn't know, I do not have access to a windows PC. 

    What I know is that, on the same macos machine, Firefox and Chrome are working.

    Cheers. Adrie

  • I said from your PC, not UTM

  • testing the fqdn with openssl

    prosserg@ITRoom-Mint ~ $ openssl s_client -connect utm.<fqdn>:3840
    CONNECTED(00000003)
    140409629832864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 295 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

    The utm has no virtual server configured for SSL on port 3840, yet the utm is causing the browser (I'm now using Firefox on Linux) to switch from http to https

    BUT as previously noted, the same release link works fine on an iPhone (Safari)

    Gary

  • Of course that is what I was doing and reporting, from a PC inside the network and from a PC outside the network. I was confirming that DNS is correct.

  • Thanks for the tip, but...

    Please explain what you mean by "Probably I know the answer." What IS the problem and why is this an answer ?

    Gary

  • Test the Host configuration as I said before.
    You are entering in loopback. And you didnt mentioned your IPHONE Connection 3G or wifi

    If You are from outside you can release the email from your external IP, from inside from your internal
    Hope you are clear on tha

  • Oldeda

    iPhone works fine on wifi and on 3G

    utm httpd: 192.168.15.138 - - [27/Mar/2018:13:24:26 +0100] "GET /release.plc? <----internal device

    utm httpd: 85.255.237.84 - - [27/Mar/2018:13:25:19 +0100] "GET /release.plc? <----external device

    You say 'you are entering in loopback' - I appreciate you are trying to help, but that phrase doesn't make sense to me. 

    You say test this configuration

    Name:  utm
    Type:   Host 
    Ip4 Address: 192.168.2.1 (your internal interface IP) 
    DHCP: No DHCP Server
    DNS Settings: utm.hidden-domain.com (your FQDN that is equal in Quarantine Configuration Hostname)

    so what definition do you propose for my other internal networks (5 in total) ?

    G

  • Internal Network Address 192.168.15.138 for all 5 internals, because you can reach this IP from all internal networks. 

  • Oldeda

    can you explain exactly what you meant by 'a loopback' effect ?

    I still don't understand why a non-ssl client request to the utm on port 3840 is converted to ssl (on the same port) for SOME but not all clients, thus generating the error I've reported.

    Gary

  • Because you may have some NAT rules for WAN interface, waf or web filter. You are hitting wan address i think

  • Maybe

    but on click release link

    web filter - nothing in its log

    waf - nothing reported in its log

    nat rules - we have 2 which relate to the external IP matching the fqdn I have cited

    there is nothing in the web server log of GEORGE_SECURED indicating 'release' requests are being directed there - not surprising since HTTP = port 80, while release request is for port 3840

    Gary

Reply
  • Maybe

    but on click release link

    web filter - nothing in its log

    waf - nothing reported in its log

    nat rules - we have 2 which relate to the external IP matching the fqdn I have cited

    there is nothing in the web server log of GEORGE_SECURED indicating 'release' requests are being directed there - not surprising since HTTP = port 80, while release request is for port 3840

    Gary

Children
  • I will suggest to test it with internal IP. I mean put in Quarantine Configuration your internal IP 192.168.x.x
    Edit the link in the email 192.x.x:3840 and you will be able to see Sophos logo with the explanation email released or not.

    Next problem must be that WAF Protection is handling all request for utm.local.com, regardless the port 3840
    Try to put another A record in DNS zone. I cannot test it because I dont have WAF enabled. GEORGE_SECURE is redirecting to https. I am 90% sure

  • there is no log record in GEORGE_SECURE for requests to port 3840 - anyway its not listening on that port so will drop not redirect to https

    I can't simply have spam releases via an internal IP since our clients will be both internal and external

    btw - external requests work

    IF waf protection is handling port 3840 that suggests a problem in its internals

    the immediate issue for diagnostics is the lack of logging of requests to the utm via port 3840 - without that we don't know what's actually happening

    Gary

  • I dont see any logic have WAF and DNAT rules for web services
    Just for test
    LOGOUT from UTM and edit the host file in your PC. Put there the hostname of spam release with internal ip. 
    Flush your PC DNS. And click the link after

  • The certificate is redirecting you

    Bye