Avast support SSL Email scan ?

I use Avast 4.6. My provider has changed it’s POP setting to use SSL Port 995 for receiving EMail. The SMTP also has changed to use secure login too (TSL).

Avast mail resident protection does not seems to scan incoming mail anymore and block any EMail sending through SMtp server. Disabling the protection, restore SMTP.

Does Avast support SSL Emailing ?

Since SSL/TLS e-mail is encrypted and decrypted in the client, external virus scanners (including avast!) can’t read or scan it.
The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, …) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Another drivers (OpenSSL) are need as a library of encryption/decryption routines.
Take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.

Not directly, it requires an intermediary, such as Stunnel.

This has been covered numerous times so a forum search would be of use, ‘SSL Stunnel Gmail’ without the quotes should return some information. The reason I mention Gmail is this was the most common request to be able to check SSL email.

Check out these two threads first.
Solution: Using GMail with Avast and a SPAM filter
Redirecting multiple SSL accounts

yakk ! this is not for the faith of heart. I think i’ll just desable EMail protection.

Hopefully next Avast version will incorporate the decryption algorythm since a lot of providers are switching to secure EMail.

Thanks man.

To set up secure email with avast! in XP, you need to do 3 things:

  1. In your email client, use
    localhost:11110 for your pop server
    localhost:11025 for your smtp server
    Do not check “use secure”

  2. In avast! email provider add
    11110 to the pop3 ports to redirect
    11025 to the smtp ports to redirect
    Uncheck “ignore local communication” (edited)

  3. With a text editor, create Stunnel.conf (or cut/paste/edit below)
    Stunnel.conf, the configuration file, looks like this for secure email:

client=yes
; POP3 service, listens on localhost:11110
[xxxxx-pop3s]
accept=localhost:11110
connect:995=pop.xxxxx.com

; SMTP service, listens on localhost:11025
[xxxxx-smtps]
protocol=smtp
accept=localhost:11025
connect:25=smtp.xxxxx.com

Replace the xxxxx connect lines with the names and ports of your ISP secure pop3 and smtp servers.

You also need to download and install OpenSSL from http://www.openssl.org/related/binaries.html and Stunnel from http://www.stunnel.org/download/binaries.html and install them. Stunnel can either be installed as a windows service or added to your startup group. I added a shortcut in the startup group. Put stunnel.conf in the same folder as stunnel.

This is close to a cookbook FAQ, and avast! has lots of people using it this way. Let us know if you need further support, or are using IMAP or gmail. Unfortunately, until significant changes are made to most email clients to support SSL scanning, you are restricted to using a select few that allow scanner plugins (Outlook, the Bat, …) or working around the encryption for scanning. And this is true for all virus scanners, even those with built in SSL support, until the email clients change.

The idea of secure email (SSL, Secure Socket Layer) is that it is secure if all and sundry could access it (for what ever purpose) then it wouldn’t be secure and would negate the reason of having secure email.

Many have been able to install it and get it working in these forums and many of those may well have felt it daunting, but they took it a step at a time (first get the two programs you need) print of the relevant threads to help and take it a step at a time. There are people here who will help.

Unfortunately, I’m not using SSL mail so haven’t got Stunnel or OPENSSL, so I have never set it up.

As I said do the search (for a full list of threads) there have been a number of recent threads helping people with the settings. See there is one here already whilst I typed this ;D

ok, you convince me. I’ll give it a shot but after Ghosting my C: drive !
I’ll let you know if it works.

I use Sympatico.ca which is a major ISP in Canada and they are switching to SSL using POP service.

Thanks a lot.

Above cookbook was actually posted originally for a Sympatico user at http://forum.avast.com/index.php?topic=13346.msg112729#msg112729, so should work for you also.

Hello,

i installed as specified in the post. I can get mail in and out ok but i don’t think Avast is scanning it. I ask to add a usual scan note at the end of the message but it’s empty.

It is normal ? How can i know that the EMail has been scanned ?

Tx

Under Internet Mail/Customize make sure you have checked “scan” and “insert note” under pop and smtp, and that the redirect tab has 11110 for pop and 11025 for smtp added. If you are scanning, you should also see the subject of the message under “last scanned” on the opening page.

yeah done exactly that, but no scan that i can see. Hum !
There is also a “Ignore local communication” check but make no difference.

Avast 4.6.665

Ignore local communications should be unchecked. Does the email scanner page show a scan count of 0? What email client are you using?

hey it works my friend !

I had to remove the check for “ignore local communication” and restart the eMail module. I think it is set by default.

I use Netscape Email 7.2 client

Thanks !

Glad it’s working for you. Let us know if you have any problems.

I just wonder if it would be possible to impliment Stunnel/OpenSSL in avast! itself.
So it will be able to check secure connections. More and more mail services are starting to use secure connection,so Internet Mail will become obsolete over time.

i second that. The way it think it works, is that the Email client send the message to Stunnel which decrypt the message (using libssl32.dll) and pass it on to Avast for scanning. There is no reason why can’t Avast do that instead.

I have a small free EMail checker “PopPepper” which i setup again after and with a tiny dll plugin is now able the handle SSl easely.

I bet it’ll be in next Avast update. 8)

Actual use of Stunnel/OpenSSL by avast! is probably forbidden by the GPL or other open source license, since avast! is for profit. Implementing an SSL extension can be done (AVG does it, I think much more awkwardly than using Stunnel and OpenSSL), but it is still a problem because of the mail client structure. The mail client needs to use the SSL transparently in order to allow scanning, so the localhost:dummy port structure ends up being used, with the client turning off encryption so it can be done. To make it simple, mail clients should allow for the use of an antivirus plug in (like used for Outlook and The Bat") with an API for a plugin that virus scans the mail and still allows the email client to do the encryption or decryption and communicate with the SSL/TLS server. In other words, encryption still should be an email client function, with the virus scanner plugin enabled either before encryption (outbound) or after decryption (inbound). The other issue is the usual cryptographic problem-not just anyone can homebrew a secure system, and using open source like Stunnel/OpenSSL gives users confidence that the system is secure, through peer review and the open source nature of the programs. The alternative is to license commercial SSL products that are trusted. I don’t think adding SSL support to the av scanners is really a good way to go-better Thunderbird have a check mark for “virusscan” that works even if you select SSL or TLS and tells avast! the rules to implement the plugin. Lacking that, I much prefer the external approach used by avast! to the integrated and awkward approach used by AVG for ease of setup and use.