Protocol filtering stops access to emails

[joaer 3]

Yesterday, I got an automatic update for my ESET NOD32 to version 14.0.21.0 on my Win10 computer. After restart, I was no longer able to access some of my email accounts using thunderbird. My gmail and outlook accounts worked, but my main account, a local IMAP server, hanged with the message "Checking mail server capabilities..." At the same time, my firefox browser started to fail on a number of sites (not all, mind you) with the error "Secure Connection Failed: Peer’s certificate has an invalid signature. Error code: SEC_ERROR_BAD_SIGNATURE, The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

All of this worked perfectly before I updated NOD32 so I started to investigate the AV settings, and soon discovered that if I disabled SSL/TLS protocol filtering, all worked perfectly. So something has happened when applying the update. Today, I found a new NOD32 update, 14.0.22.0, which I hoped should solve the problem, but it did not. Likewise, I updated both firefox and thunderbird to latest releases, but the problem is still there. I tried to find some useful changelog but could not find any other than a very high-level description which did not help me.

So I wonder, given that I did not have these problems until I did the update yesterday, what has happened in NOD32 that broke my browsing and email reading? For obvious reasons, I don't want to have protocol filtering disabled permanently.

Regards, Joakim

Edited October 27, 2020 by joaer

[itman 1,659]

Since both Thunderbird and FireFox are having SSL/TLS protocol scanning issues, the only thing I can think of is you somehow you have a bad Eset certificate installed. Eset product update will update the existing Eset root certificate in both Thunderbird and FireFox. How this could have happened I have no clue.

Verify Eset certificate shows "OK" per the below screenshot:

Edited October 27, 2020 by itman

[joaer 3]

Thanks for your reply! The root certificate is fine.

However, I have done some more checking, and it appears that the firefox problems are intermittent; for now it seems to work even if SSL/TLS protocol filtering is enabled.

Then I found a setting affecting only protocol filtering for email client, and I can confirm that thunderbird problems are reproducible. Any ideas?

 

[Marco5342 3]

I'm having the same problem. Since a few days my Thunderbird (78.4.0) won't connect to SSL IMAP accounts if IMAPS protocol filtering is enabled in ESET.

My mailserver responds:

Oct 28 11:02:39 srv212 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=..., lip=..., TLS handshaking: Connection closed, session=<RIV2Q7iyL/AgAQmCLKoAAbkEkhRHCuES>
Oct 28 11:02:39 srv212 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=..., TLS: read(size=637) failed: Connection reset by peer, session=<7Px4Q7iyK/AgAQmCLKoAAbkEkhRHCuES>

 

[Marcos 5,070]

Please try the following:

- switch to the pre-release update channel in the advanced update setup
- with TB closed, disable SSL filtering and click OK
- re-enable SSL filtering and click OK
- launch TB and check if the issue persists.

[itman 1,659]

5 hours ago, Marco5342 said:

Since a few days my Thunderbird (78.4.0) won't connect to SSL IMAP accounts if IMAPS protocol filtering is enabled in ESET.

I have no problem connecting to AOL e-mail using IMAPS. Is the problem with a local IMAPS server?

[itman 1,659]

10 hours ago, joaer said:

However, I have done some more checking, and it appears that the firefox problems are intermittent; for now it seems to work even if SSL/TLS protocol filtering is enabled.

Post a few web site URLs where you have problems in FireFox w/Eset SSL/TLS protocol scanning enabled.

Edited October 28, 2020 by itman

[joaer 3]

Marco5342: these error messages are similar to the ones I get when protocol filtering is enabled.

itman, as I mentioned, I have no problem accessing major email providers like gmail and outlook, but the problem is with my local IMAP server. It might be that NOD32 after the update finds the local self-generated certificate problematic, although it is sufficient for my needs. I found a Certificate Validity setting under Web and Email SSL/TLS settings in NOD32, but the only two options, "block" och "ask", did not make much difference either way. To be honest, I believe that certificate validity should be handled by the application, not the antivirus software. Is there any way to disable this check for local domains?

When it comes to firefox, these errors now seem to have disappeared, for unknown reasons. Great, as long as it stay that way.

[joaer 3]

Marcos: I tried pre-release update channel, but no change; I stlll cannot connect to my local IMAP server if email protocol filtering is enabled.

[Marco5342 3]

1 hour ago, Marcos said:

Please try the following:

- switch to the pre-release update channel in the advanced update setup
- with TB closed, disable SSL filtering and click OK
- re-enable SSL filtering and click OK
- launch TB and check if the issue persists.

Done that, but no change. Got an update to ESET 14.0.22.0, no change.

For me every IMAP (remote) server fails with IMAPS scanner on (gmail, office 365, ....)

But...I just installed a new laptop with exactly the same software (Thunderbird profile is a file copy, so exactly the same) and that one has no problem at all. On my old laptop it suddenly appeared last week after turning on my computer. So there must be a special corner case....

[JeffJ 1]

I have several dozens of clients that are all reporting this issue as well, they all get a error stating the server does not support the encryption method all of the sudden, This is affecting Rogers emails as well as other ISP's using ssl but not gmail. It does not affect TLS, only SSL 

this is all since 14.0.21.0  

A work around is to either disable ssl/tls filtering or changing it from automatic mode to interactive mode and when you send an receive Eset AV prompts you if you want to scan the protocol and choose yes remember for this application then resolves the issue and you can change it back to Automatic  

[JeffJ 1]

14.0.22.0 

no change 


Task 'XXXXX@execulink.com - Receiving' reported error (0x800CCC1A) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.'

ssl/tls protocol filtering off it works or like I said setting SSL/TLS filtering mode from automatic to interactive, then allowing the mail client when Eset prompts you for action, telling to scan and selecting remember application and then setting SSL/TLS filtering mode back to automatic fixes this. 

[itman 1,659]

4 hours ago, JeffJ said:

This is affecting Rogers emails as well as other ISP's using ssl but not gmail. It does not affect TLS, only SSL 

At least we're getting somewhere now.

Eset has a setting for SSL/TLS protocol scanning accessible via Advanced Setup that blocks SSL v2 traffic. I suspect this setting; possibly by mistake in ver. 14, is now blocking all SSL traffic. Disable this setting and see if e-mail connectivity to its server is resolved.

Edited October 29, 2020 by itman

[Marco5342 3]

11 hours ago, itman said:

Eset has a setting for SSL/TLS protocol scanning accessible via Advanced Setup that blocks SSL v2 traffic. I suspect this setting; possibly by mistake in ver. 14, is now blocking all SSL traffic. Disable this setting and see if e-mail connectivity to its server is resolved.

Thanks for the suggestion, but changing this setting doesn't resolve the issue for me.

[JeffJ 1]

Disabling blocking obsolete protocol  does not fix the issue the only resolution that works is either disabling ssl/tls filtering or doing my interactive prompting work around posted above. 

Further more disabling blocking obsolete protocol  breaks properly working outlook even after  i deploy the work around that fixes it.  

[itman 1,659]

22 hours ago, JeffJ said:

A work around is to either disable ssl/tls filtering or changing it from automatic mode to interactive mode and when you send an receive Eset AV prompts you if you want to scan the protocol and choose yes remember for this application then resolves the issue and you can change it back to Automatic  

This really doesn't make a lot of sense in regards to client received e-mail.

The feature is primarily designed via web site certificate identification to modify Eset's default SSL/TLS protocol scanning behavior for a given web site. It can also be used to override Eset default Access and Scan settings for a given web site.

What may be "busted" in ver. 14 in regards to e-mail is this setting which is enabled by default:

Quote

Exclude communication with trusted domains – When enabled, communication with trusted domains will be excluded from checking. The trustworthiness of a domain is determined by a built-in whitelist.

https://help.eset.com/eis/14/en-US/idh_config_epfw_ssl_known.html?idh_config_epfw_ssl.html

I will also add I use Thunderbird as my e-mail client with two third party e-mail providers set up; one POPS and one IMAPS, and I have no issues receiving e-mail using ver. 14. Of note is connection security for both e-mail provider's connection security is SSL/TLS and not STARTTLS:

Quote

STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one. (By the way, the use of “TLS” in the STARTTLS command name does not mean that it only works with the TLS security protocol. It works with SSL too.)

https://www.sparkpost.com/resources/email-explained/ssl-tls-starttls-encyption/

Edited October 30, 2020 by itman

[itman 1,659]

On 10/27/2020 at 4:01 PM, joaer said:

but my main account, a local IMAP server, hanged with the message "Checking mail server capabilities..."

In regards to this Thunderbird e-mail account, is it indeed an IMAP account and not IMAPS? What is the connection security for this account in Thunderbird? The options are None, STARTTLS, or SSL/TLS.

[JeffJ 1]

It may not make sense it man but my self and the other 3 techs have fielded over 50 calls from clients on Eset with this exact issue wince ver 14. and the work around I explained is the solution every single time. 

Thunderbird does not suffer from these issues, Eset seems to handle its integration with the mail servers automatically and its working as intended. 
 

This is an eset with outlook issue, I've confirmed it on outlook 2013, 2016 and Outlook 365. None of our clients who use Thunderbird have issues. 

Edited October 30, 2020 by JeffJ

[itman 1,659]

3 hours ago, JeffJ said:

This is an eset with outlook issue, I've confirmed it on outlook 2013, 2016 and Outlook 365. None of our clients who use Thunderbird have issues. 

Note that you posted into an existing forum thread. The OP of this thread was having an issue with Thunderbird.

This is why the forum rules are not to cross-post into an existing thread. It only causes more confusion and often results in the OP's issue being obscured and not being resolved.

[Gascogne 1]

Hello,

Under thunderbird 78, to collect my IMAP mails, I had to, in the advanced settings of NOD 32, Mail client protection, disable the configuration of the IMAPS scan engine. Everything works then, but without protection upstream of the collected mails!

Best regards

[JeffJ 1]

22 minutes ago, itman said:

Note that you posted into an existing forum thread. The OP of this thread was having an issue with Thunderbird.

This is why the forum rules are not to cross-post into an existing thread. It only causes more confusion and often results in the OP's issue being obscured and not being resolved.

Its the same issue, I was just reporting I couldn't recreate it with Thunderbird, doesn't mean that its not happening with that client.

[itman 1,659]

1 hour ago, Gascogne said:

Hello,

Under thunderbird 78, to collect my IMAP mails, I had to, in the advanced settings of NOD 32, Mail client protection, disable the configuration of the IMAPS scan engine. Everything works then, but without protection upstream of the collected mails!

Best regards

I was on ver. 68.12.1 and had no issues w/Eset IMAPS and POPS scanning enabled. Just upgraded to 78.4.0 and still no issues.

Are you using an internal IMAPs server? Both my IMAPS and POPS connections are to third party e-mail providers; AOL and Yahoo.

Edited October 30, 2020 by itman

[itman 1,659]

5 hours ago, JeffJ said:

This is an eset with outlook issue, I've confirmed it on outlook 2013, 2016 and Outlook 365. None of our clients who use Thunderbird have issues. 

Refer to my prior posted Advanced setup screen shot. Do you have "Exclude communication with trusted domains" enabled?

[Gascogne 1]

1 hour ago, itman said:

Are you using an internal IMAPs server? Both my IMAPS and POPS connections are to third party e-mail providers; AOL and Yahoo.

No, only e-mail providers like Orange (France)

[itman 1,659]

1 hour ago, Gascogne said:

No, only e-mail providers like Orange (France)

Based on what I see here: https://emailconfiguration.com/orange-fr , Orange e-mail is using SSL. I am interpreting this literally to mean it is not using TLS.

As noted above, others are also having the same issue when trying to receive SSL communication from their e-mail providers servers. As such, it really appears Eset e-mail is no longer working for SSL e-mail other than by creating a certificate exclusion in Eset SSL/TLS protocol scanning as posted previously.

Open an Eset tech support request with your in-country Eset provider so this issue is properly tracked. I also advise anyone else receiving e-mail via SSL and having issues to do the same.