Hello Sophos Community,
I am currently experiencing issues when accessing certain external imap servers through my Sophos XG.
I have several different imap accounts configured on my clients (7 accounts) but only 5 of them work through my Sophos without any problem.
When accessing two of them there's an error saying: SSL handshake timeout - all others work without any problem. All accounts work when using another network (e.g. mobile network or a friend's wifi) So this shouldn't be a configuration issue.
I have proxy, webfiltering and imap scanning enabled, so I created a FW rule allowing a test client to access any/any, put it on top, disabled webfiltering, created a webfilter exception (just to be sure) but there are still these handshake timeouts.
This is everything I get, when trying to check my mails: (unfortunately nothing else in the log files, so far)
Any advice would be appreciated
I am running a Sophos XG 18.0.1 MR-1
yes I am aware that these entries have nothng to do with email and I know what these "invalid traffic" messages mean in this case - but these are the only messages I receive and they're immediately…
Hi Björn Berg,
Thank you for reaching out to the Community!
I would advise you to run a packet capture on the destination server IP and replicate the issue and PM me the packet capture.
Check out the following KBA for more info on packet capture: Sophos XG Firewall: How to capture packets and download the Packet Capture.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Thank you for getting back to me. I just PM'ed you a link to the capture file.
Let me know if you need something more.
there is a bug in the current version of iMAP when using scanning. The bug is reportedly fixed in v18.0.3 MR-3
Many people are waiting for the release of MR-3.Ian
yes, I read about that. I am not sure whether this will resolve my issue as I created an exception and disabled filtering so far. And AFAIK there should be entries in the warren.log when IMAP/SMTP scanning is used but there are no entries when trying to connect via IMAP to these accounts.
But yes, I am also looking forward to the release of MR3.
Please review the tls log. The error messages you have posted have nothing to do with email, they are from a sessions that have ended and handshake has not completed in time.
yes I am aware that these entries have nothng to do with email and I know what these "invalid traffic" messages mean in this case - but these are the only messages I receive and they're immediately displayed when checking for mail via IMAPS (TCP 993) So this is at least somehow connected to the issue/traffic. Unfortunately I do not have any other message or logs - not even in the TLS logs (SSL/TLS inspection is not enabled). This is why I created this thread.
There's nothing in the TLS logs.
I solved a similar issue by adding the IP address or hostname (TLS SNI) to the URL group included in the "Exclusions by website or category" default rule under SSL/TLS inspection rules.
The source is an internal server in a zone/nework not included in any of the other rules, but the exclusion was still necessary.
please review this thread regarding issues with iMAPS.
Thank you very much for your suggestion but I do not have SSL/TLS inspection enabled:
So basically this shouldn't be a problem.