version 7.12.125 can't access to TLS anymore

Forum for MailWasher Pro 7 and/or older 2011/2012 versions.
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 2:09 am

Hi,
I have a lot of accounts configures as POP and reading mails from port 995, SSL/TLS.
Starting from tomorrow morning I can't read emails anymore. Seems that SSL/TLS connection is not working. Is mailwasher using TLS 1.2 or (better) 1.3 ?
In the server logs I found this error:

TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

but reading mails from Outlook with TLS works fine, just Mailwasher is unable to read received mails.
Any hint?
User avatar
Digerati
Microsoft MVP
Location: Nebraska, USA
Posts: 1921
Joined: Thu Jul 24, 2008 3:16 pm

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 2:58 am

Starting from "tomorrow" morning???

FWIW, I use POP for my gmail accounts which are SSL/TLS and I am not having any problems reading those emails with MWP 7.12.125.
Image Bill (AFE7Ret)
Freedom is NOT Free!
Image Windows and Devices for IT, 2007 - 2018
Heat is the bane of all electronics!
─────────────────────
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 4:28 am

Obviously was today, not tomorrow, I apologize for my english, is not so simple to explain technical issue in another language. Anyway I suspect an SSL security update and what is working yesterday doesn't work today.
The mail server I cannot access is managed by me, so I can investigate server side too.
Outlook can access and read mailboxes, Mailwasher not. I changed nothing client side, investigating on what can be changed on my dovecot/postfix server configuration.
Now starting wireshark to check what happening.
User avatar
Digerati
Microsoft MVP
Location: Nebraska, USA
Posts: 1921
Joined: Thu Jul 24, 2008 3:16 pm

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 4:53 am

No need to apologize. I was just teasing. I figured you either meant today or yesterday. :)

I wish I could offer you some help but this is not my area. All I can do is verify this is not a MailWasher problem - other than, maybe, a user setting. But that seems unlikely if it worked before and you made no changes. Hopefully someone with more knowledge in this area will stop by. Otherwise, if you server software has a forum, you might ask there.
Image Bill (AFE7Ret)
Freedom is NOT Free!
Image Windows and Devices for IT, 2007 - 2018
Heat is the bane of all electronics!
─────────────────────
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 5:25 am

Thanks for your reply,
My daughter, running an older version, had same problem with same server so is probably due to a server security update. Server supports TLS 1.2 and 1.3, my doubt was: Mailwasher uses TLS 1.2 + or is still using 1.1 ?
This could be the cause.
gingbat
Least Evil Firetrust Employee
Posts: 1010
Joined: Mon Jul 28, 2008 4:04 pm

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 5:57 am

Yes, MWPro 7 does support TLS 1.2 so that should not be a problem, (only the older MWpro 6 uses the older SSL version).

I'd definitely be checking the update that was installed as something must not be quite right there....
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 6:35 am

Thanks for your reply, I'm sniffing with wireshark and found that Mailwasher uses TLS 1 vs my mail server and 1.2 vs other mail servers, so I'm checking the server protocols. Weird fact: Outlook manage the connection well and connect using 1.2
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

Re: version 7.12.125 can't access to TLS anymore

Tue Mar 21, 2023 8:50 am

After a lot of tries, I give up: can't use SSL/TLS on Mailwasher anymore, but only when connecting to my mail server.
Outlook works fine and connect and retrieve mails using TLS 1.2
When Mailwasher connects with other mail server it uses TLS 1.2 and retrieve mails correctly
When Mailwasher connects with my mail server uses TLS 1 and give error 50 (grabbed with wireshark on Client Hello):

TLSv1 Record Layer: Alert (Level: Fatal, Description: Decode Error)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Decode Error (50)

My mail server has a score of 114 on https://www.checktls.com/TestReceiver and it says that all is working fine.
I have checked connection and dialog using openssl and all seems ok.
Just dunno.
Any hints?
Thanks in advance
gingbat
Least Evil Firetrust Employee
Posts: 1010
Joined: Mon Jul 28, 2008 4:04 pm

Re: version 7.12.125 can't access to TLS anymore

Wed Mar 22, 2023 5:37 am

Is there a possibility that another program may be interfering with MW's connection to the server...? possibly a firewall or antivirus program is hijacking the connection and causing a conflict....?

If no, you're welcome to post your log here and we'll see if we can see anything out of place if you wish? (just ensure you XXXXXX out your email and other personal details).

The log is named something like: "MWPapp_username_mailserver_com.log" and is located under Help>>User Files>>Logs folder, open the folder with the date of when you got the error last.
User avatar
TrustFire
βeta Tester
Location: 127.0.0.1
Posts: 13164
Joined: Fri Jul 30, 2010 11:04 pm

Re: version 7.12.125 can't access to TLS anymore

Wed Mar 22, 2023 7:00 pm

StevenP94 wrote:
Tue Mar 21, 2023 2:09 am
<snip> but reading mails from Outlook with TLS works fine, just Mailwasher is unable to read received mails.
Any hint?
For the purpose of reading "received" mails . . . neither does MailWasher use TLS nor does Outlook — in other words . . . TLS has no role in inbound traffic.

TLS comes into play only where mail-sending (outbound traffic) is concerned . . . by default, MailWasher uses SSL (over port # 465) instead of TLS — however . . . if you want to use TLS for sending mails, you will need to re-route your sending (outbound traffic) through port # 587.

TLS is a port-specific SMTP connection — it's working fine, here . . . as usual. ;)
TLS__(Port#587).png
TLS__(Port#587).png (100.13 KiB) Viewed 2408 times
MailWasher Pro (βeta) | Windows 11 Enterprise LTSC (22H2) | The Bat! Professional (βeta) | Windows 10 Firewall Control (βeta) | ESET Endpoint Antivirus (βeta) | nVIDIA GeForce (GTX 1060) | WebView2 Runtime (118.0.2088.61) | .NET Framework (4.8.1)
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

Re: version 7.12.125 can't access to TLS anymore

Thu Mar 23, 2023 11:39 am

When Mailwasher connects with my mail server uses TLS 1 and give error 50 (grabbed with wireshark on Client Hello):

TLSv1 Record Layer: Alert (Level: Fatal, Description: Decode Error)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Decode Error (50)

Image

TLS is used to secure client / server connection. It's not limited to SMTP only. https://en.wikipedia.org/wiki/Transport_Layer_Security

@Gingbat this is an extract of log:

Code: Select all

03-20-2023 19:07:57.264	Info	****************************************************************************************************************************
03-20-2023 19:07:57.264	Info	BEGIN FETCH MAIL SESSION ON ACCOUNT MY_ACCOUNT   Acct-999999999
03-20-2023 19:07:57.264	Info	****************************************************************************************************************************
03-20-2023 19:07:57.264	Info	MWPfetch::ObjectThreadMethod acc=Acct-999999999 AccountType=0 user=myuser@mydomain host=myhost.mydomain port=995 logintype=1 sslmode=1
03-20-2023 19:07:57.265	Info	MWPapplication::FetchAccount acc=Acct-999999999 AccountType=0 user=myuser@mydomain host=myhost.mydomain port=995 logintype=1 sslmode=1
03-20-2023 19:07:57.265	Info	POPservice::POPservice host=myhost.mydomain port=995
03-20-2023 19:07:57.265	Info	LOGIN acc=Acct-999999999 user=myuser@mydomain host=myhost.mydomain port=995 logintype=1 sslmode=1
03-20-2023 19:08:02.353	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:08:08.439	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:08:09.440	Error	POPservice::Login - <ADDXML><TYPE>POPLOGIN</TYPE><HOST>myhost.mydomain</HOST><PORT>995</PORT><ACCOUNT_TEXT>MY_ACCOUNT</ACCOUNT_TEXT><ACCOUNT>Acct-999999999</ACCOUNT><USER>myuser@mydomain</USER><LOGINTYPE>1</LOGINTYPE><SSLMODE>1</SSLMODE></ADDXML>
03-20-2023 19:08:19.145	Info	POPservice::POPservice host=myhost.mydomain port=995
03-20-2023 19:08:24.266	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:08:30.366	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:08:31.367	Error	POPservice::TestAccount  - unknown error
03-20-2023 19:10:21.304	Info	POPservice::POPservice host=myhost.mydomain port=995
03-20-2023 19:10:26.378	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:10:32.465	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:10:33.465	Error	POPservice::TestAccount  - unknown error
03-20-2023 19:13:45.696	Info	POPservice::POPservice host=myhost.mydomain port=995
03-20-2023 19:13:50.777	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:13:56.862	Error	MWP_POP3::POPconnect SocketException - GetLine failed() failed with code 0: Operazione completata.
03-20-2023 19:13:57.863	Error	POPservice::TestAccount  - unknown error
gingbat
Least Evil Firetrust Employee
Posts: 1010
Joined: Mon Jul 28, 2008 4:04 pm

Re: version 7.12.125 can't access to TLS anymore

Thu Mar 23, 2023 3:19 pm

Great, ta for that, and yes, MW cannot even make contact with the server, I see a lot of "SocketException" errors instead, those usually mean that your firewall, antivirus programs email scanner or other security software has blocked MWPro from checking mail there? Please check the settings in there to ensure MW is allowed full internet access, and has no rules either blocking it, or incorrectly setup which could cause issues. If no, or no better, is there an Antivirus email scanner active on your PC there? (Within your antivirus or firewall software), maybe try disabling this and see if that helps?

(NOTE: the antivirus real time scanner will still scan any emails and attachments for viruses anyway, so you are quite safe)
StevenP94
Student Sheep
Posts: 12
Joined: Tue Nov 22, 2022 10:20 am

Re: version 7.12.125 can't access to TLS anymore

Thu Mar 23, 2023 7:30 pm

The weird things are:
a) firewalling MW as denied application on my PC can't be: MW works with other ports (110 with no auth is enabled and working)
b) firewalling port as denied connection on my PC can't be: Outlook works with that TLS connection on 995
c) AV disabled gives same results - I'm using Avast free
d) sniffing TCP using wireshark gives failed TLS1 connection vs my mail server (that allows only 1.2+) and working TLS1.2 vs other servers (from MW) and working TLS1.2 connection from Outlook vs every servers

I have logs serverside (dovecot+postfix) and client side (MW and Wireshark)

There is something else I can do to identify the problem?

Thank in adavance

UPDATE
Seemes that the problem is this
SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

these are the cipher supported by MW - and gives no connection.

Cipher Suites (29 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

These are the ciphers supported by Outlook (and works)

Cipher Suites (22 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Seems that the first two are missing and the others are not on my system anymore, probably by a security update
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

I hope that this will help
gingbat
Least Evil Firetrust Employee
Posts: 1010
Joined: Mon Jul 28, 2008 4:04 pm

Re: version 7.12.125 can't access to TLS anymore

Fri Mar 24, 2023 12:42 pm

Yes, really a bit of out ideas sorry, MWPro works with all other SSL connections without problems, even the new OAUTH connections from Hotmail and Yahoo, (not gmail though, as they block us), if it were a issue with MWpro itself we'd be seeing a lot more problems I think... unless anyone else has any new ideas....?
User avatar
TrustFire
βeta Tester
Location: 127.0.0.1
Posts: 13164
Joined: Fri Jul 30, 2010 11:04 pm

Re: version 7.12.125 can't access to TLS anymore

Sat Mar 25, 2023 6:54 pm

StevenP94 wrote:
Thu Mar 23, 2023 7:30 pm
a) firewalling MW as denied application on my PC can't be: MW works with other ports (110 with no auth is enabled and working)
Just because the firewall is allowing MailWasher connections on port # 110 (or some other ports) . . . it cannot be assumed that it can't selectively block MailWasher connections on port # 995. ;)


StevenP94 wrote:
Thu Mar 23, 2023 7:30 pm
b) firewalling port as denied connection on my PC can't be: Outlook works with that TLS connection on 995
Just because the firewall is allowing Outlook on port # 995 . . . it cannot be assumed that it can't selectively block MailWasher on port # 995. ;)


StevenP94 wrote:
Thu Mar 23, 2023 7:30 pm
c) AV disabled gives same results - I'm using Avast free

There is something else I can do to identify the problem?

Thank in adavance
After disabling your Avast . . . did you restart your system to re-test MailWasher — some security systems do not obey commands until the next reboot.

Usually when a third-party firewall is installed, it disables the native Windows firewall — however, you might want to check whether your Windows firewall continues to remain enabled . . . and, is blocking MailWasher's access to port # 995.

EOD, it's up to you to narrow down what is blocking your MailWasher selectively on port # 995.
MailWasher Pro (βeta) | Windows 11 Enterprise LTSC (22H2) | The Bat! Professional (βeta) | Windows 10 Firewall Control (βeta) | ESET Endpoint Antivirus (βeta) | nVIDIA GeForce (GTX 1060) | WebView2 Runtime (118.0.2088.61) | .NET Framework (4.8.1)

Return to “MailWasher Pro 7”