Firetrust Support Forums

Hi,
I have a lot of accounts configures as POP and reading mails from port 995, SSL/TLS.
Starting from tomorrow morning I can't read emails anymore. Seems that SSL/TLS connection is not working. Is mailwasher using TLS 1.2 or (better) 1.3 ?
In the server logs I found this error:

TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

but reading mails from Outlook with TLS works fine, just Mailwasher is unable to read received mails.
Any hint?

Starting from "tomorrow" morning???

FWIW, I use POP for my gmail accounts which are SSL/TLS and I am not having any problems reading those emails with MWP 7.12.125.

Obviously was today, not tomorrow, I apologize for my english, is not so simple to explain technical issue in another language. Anyway I suspect an SSL security update and what is working yesterday doesn't work today.
The mail server I cannot access is managed by me, so I can investigate server side too.
Outlook can access and read mailboxes, Mailwasher not. I changed nothing client side, investigating on what can be changed on my dovecot/postfix server configuration.
Now starting wireshark to check what happening.

No need to apologize. I was just teasing. I figured you either meant today or yesterday.

I wish I could offer you some help but this is not my area. All I can do is verify this is not a MailWasher problem - other than, maybe, a user setting. But that seems unlikely if it worked before and you made no changes. Hopefully someone with more knowledge in this area will stop by. Otherwise, if you server software has a forum, you might ask there.

Thanks for your reply,
My daughter, running an older version, had same problem with same server so is probably due to a server security update. Server supports TLS 1.2 and 1.3, my doubt was: Mailwasher uses TLS 1.2 + or is still using 1.1 ?
This could be the cause.

Yes, MWPro 7 does support TLS 1.2 so that should not be a problem, (only the older MWpro 6 uses the older SSL version).

I'd definitely be checking the update that was installed as something must not be quite right there....

Thanks for your reply, I'm sniffing with wireshark and found that Mailwasher uses TLS 1 vs my mail server and 1.2 vs other mail servers, so I'm checking the server protocols. Weird fact: Outlook manage the connection well and connect using 1.2

After a lot of tries, I give up: can't use SSL/TLS on Mailwasher anymore, but only when connecting to my mail server.
Outlook works fine and connect and retrieve mails using TLS 1.2
When Mailwasher connects with other mail server it uses TLS 1.2 and retrieve mails correctly
When Mailwasher connects with my mail server uses TLS 1 and give error 50 (grabbed with wireshark on Client Hello):

TLSv1 Record Layer: Alert (Level: Fatal, Description: Decode Error)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Decode Error (50)

My mail server has a score of 114 on https://www.checktls.com/TestReceiver and it says that all is working fine.
I have checked connection and dialog using openssl and all seems ok.
Just dunno.
Any hints?
Thanks in advance

Is there a possibility that another program may be interfering with MW's connection to the server...? possibly a firewall or antivirus program is hijacking the connection and causing a conflict....?

If no, you're welcome to post your log here and we'll see if we can see anything out of place if you wish? (just ensure you XXXXXX out your email and other personal details).

The log is named something like: "MWPapp_username_mailserver_com.log" and is located under Help>>User Files>>Logs folder, open the folder with the date of when you got the error last.

StevenP94 wrote: ↑

Tue Mar 21, 2023 2:09 am

<snip> but reading mails from Outlook with TLS works fine, just Mailwasher is unable to read received mails.
Any hint?

For the purpose of reading "received" mails . . . neither does MailWasher use TLS nor does Outlook — in other words . . . TLS has no role in inbound traffic.

TLS comes into play only where mail-sending (outbound traffic) is concerned . . . by default, MailWasher uses SSL (over port # 465) instead of TLS — however . . . if you want to use TLS for sending mails, you will need to re-route your sending (outbound traffic) through port # 587.

TLS is a port-specific SMTP connection — it's working fine, here . . . as usual.

When Mailwasher connects with my mail server uses TLS 1 and give error 50 (grabbed with wireshark on Client Hello):

TLSv1 Record Layer: Alert (Level: Fatal, Description: Decode Error)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Decode Error (50)



TLS is used to secure client / server connection. It's not limited to SMTP only. https://en.wikipedia.org/wiki/Transport_Layer_Security

@Gingbat this is an extract of log:

Great, ta for that, and yes, MW cannot even make contact with the server, I see a lot of "SocketException" errors instead, those usually mean that your firewall, antivirus programs email scanner or other security software has blocked MWPro from checking mail there? Please check the settings in there to ensure MW is allowed full internet access, and has no rules either blocking it, or incorrectly setup which could cause issues. If no, or no better, is there an Antivirus email scanner active on your PC there? (Within your antivirus or firewall software), maybe try disabling this and see if that helps?

(NOTE: the antivirus real time scanner will still scan any emails and attachments for viruses anyway, so you are quite safe)

The weird things are:
a) firewalling MW as denied application on my PC can't be: MW works with other ports (110 with no auth is enabled and working)
b) firewalling port as denied connection on my PC can't be: Outlook works with that TLS connection on 995
c) AV disabled gives same results - I'm using Avast free
d) sniffing TCP using wireshark gives failed TLS1 connection vs my mail server (that allows only 1.2+) and working TLS1.2 vs other servers (from MW) and working TLS1.2 connection from Outlook vs every servers

I have logs serverside (dovecot+postfix) and client side (MW and Wireshark)

There is something else I can do to identify the problem?

Thank in adavance

UPDATE
Seemes that the problem is this
SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

these are the cipher supported by MW - and gives no connection.

Cipher Suites (29 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

These are the ciphers supported by Outlook (and works)

Cipher Suites (22 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Seems that the first two are missing and the others are not on my system anymore, probably by a security update
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

I hope that this will help

Yes, really a bit of out ideas sorry, MWPro works with all other SSL connections without problems, even the new OAUTH connections from Hotmail and Yahoo, (not gmail though, as they block us), if it were a issue with MWpro itself we'd be seeing a lot more problems I think... unless anyone else has any new ideas....?

StevenP94 wrote: ↑

Thu Mar 23, 2023 7:30 pm

a) firewalling MW as denied application on my PC can't be: MW works with other ports (110 with no auth is enabled and working)

Just because the firewall is allowing MailWasher connections on port # 110 (or some other ports) . . . it cannot be assumed that it can't selectively block MailWasher connections on port # 995.

StevenP94 wrote: ↑

Thu Mar 23, 2023 7:30 pm

b) firewalling port as denied connection on my PC can't be: Outlook works with that TLS connection on 995

Just because the firewall is allowing Outlook on port # 995 . . . it cannot be assumed that it can't selectively block MailWasher on port # 995.

StevenP94 wrote: ↑

Thu Mar 23, 2023 7:30 pm

c) AV disabled gives same results - I'm using Avast free

There is something else I can do to identify the problem?

Thank in adavance

After disabling your Avast . . . did you restart your system to re-test MailWasher — some security systems do not obey commands until the next reboot.

Usually when a third-party firewall is installed, it disables the native Windows firewall — however, you might want to check whether your Windows firewall continues to remain enabled . . . and, is blocking MailWasher's access to port # 995.

EOD, it's up to you to narrow down what is blocking your MailWasher selectively on port # 995.