Having a severe problem with Avast 4.5 and my secure smtp server. Looking for any hints people may have, I get some funky icon when I try to send email and some kind of connection times out and just messes everything up.
I can’t send anything outside my domain…
I don’t understand about secure servers so much…
I know that avast does not support SSL connections… :
Yup, I disabled Mail Protection, the setting finally stuck and I now have email. I wonder if they have any plans of supporting SSL Connections in the future.
I think that this has been discussed before and Vlk commented on it, so a search for SSL in the forums may return more information.
Secure by its nature is designed to keep prying eyes out, so that would include anti-virus prying eyes to.
I believe it would be very difficult to support as avast isn’t the recipient or initiating client, so is outside the Secure Socket Layer (these are just my thoughts, not fact, or Alwil’s).
So your mail server requires SSL and still uses the normal port numbers (25, 110)??
BTW what mail client are you using?
Thanks
Vlk
995 incoming and 25 Outgoing. Using Thunderbird .9
Its no biggie, but it was just kinda frustrating that it was on by default without asking me about it, and the setting didn’t appear to stick on a couple attempts.
Overall I love the product…
Hi RookieCAF,
You could do what I do to access my mail securely: use stunnel (http://www.stunnel.org/) to provide the SSL connection and set up your mail client to connect to stunnel.
I have stunnel listening on ports 25 and 110 (SMTP and POP3) on localhost, and have Outlook Express configured to connect to localhost. I’ve put “IgnoreLocalhost=0” into the avast4.ini [MailScanner] section so avast! scans connections made on 127.0.0.1. Avast! transparently scans the localhost connection to stunnel, which then provides the SSL connection to the mailservers. My stunnel.conf is as follows:
–Cut–
client=yes
[gmx-pop3s]
accept=localhost:110
connect:995=pop.gmx.net
[gmx-smtps]
accept=localhost:25
connect:465=mail.gmx.net
–Cut–
It all works perfectly, although I did have to do a bit of fiddling around when avast! 4.5 was released. If you want any help, don’t hesitate to get in touch 
Vlk: searching the forum for stunnel yields a few posts (about 10), but how about putting up a sticky post to help people who want to secure their connections and still be able to use avast!? I could even write the post for you if you want
Thanks t_r_davies
Welcome to the forum
This is also our answer for pop3 and gmail which also requires SSL.
I think a sticky thread for this is an excellent idea.
Stick around. We could use you in here. ;D
may be it’s also a good idea to put in in the FAQ - SSL becomes more and more usual
br
Peter
I have stunnel listening on ports 25 and 110 (SMTP and POP3) on localhost, and have Outlook Express configured to connect to localhost. I've put "IgnoreLocalhost=0" into the avast4.ini [MailScanner] section so avast! scans connections made on 127.0.0.1. Avast! transparently scans the localhost connection to stunnel, which then provides the SSL connection to the mailservers. My stunnel.conf is as follows:–Cut–
We’re running as a client to SSLify the GMX mail connection
client=yes
POP3 service, listens on localhost:110
[gmx-pop3s]
accept=localhost:110
connect:995=pop.gmx.netSMTP service, listens on localhost:25
[gmx-smtps]
accept=localhost:25
connect:465=mail.gmx.net
–Cut–
To do this do I have to pass all my mail connections through stunnel? What I mean is I have other non SSL accounts which use ports 25, 110 and 143. If I use the above settings would I still be able to access them?
No, you don’t have to pass all your mail connections through stunnel. If you configure stunnel as I did then you just have to reconfigure the account you want to secure to use “localhost” as the POP and SMTP servers. Your can just leave your other non-SSL accounts’ settings as they are and they will continue to operate as normal. I configured stunnel to listen on the default POP and SMTP ports so I didn’t have to change the port numbers in the Outlook Express account settings.
I’ve been too busy to ask one of the moderators yet about putting up a sticky post regarding SSL and stunnel, but I should have time to do it today. If they agree, I’ll do a detailed explanation of exactly how to configure everything.
Thanks a lot for your suggestion t_r_davies. I have been able to get it to work though it doesn’t work with the port numbers you gave in your example. stunnel doesn’t want to start. Thanks again.
Happy to help I’ve actually just changed my setup to have stunnel listening on ports 11025 and 11110, to keep it similar to the port numbers the avast! mail scanner uses (12025, 12110 and 12143). It makes it easier to remember! I’m also using SpamBayes (listening on port 10110, which complicates matters slightly, but that’s the gist of my configuration.
Does stunnel start if you change the port numbers (try 11025 and 11110 like I’m now using)? Also, are you running it as a service (if you’re on Win2K/XP) or as a normal process?
I use other ports like 350, 1600 etc. Kind of non standard and illogical I guess, but I can always look up stunnel.conf.
As for starting it, I made a shortcut to stunnel and put it in ~\Start Menu\Programs\Startup so it starts up whenever I login to my user account. I run it as a user.
How do you run it as a service? What exactly is the difference between a service and a normal process?
Provided you’re running WinNT, 2K or XP, you can run stunnel as a service by running “stunnel -install” at a command prompt (you need to be Administrator to do this). A service can be started at boot-time so it runs continuously while the machine is on (even when no-one is logged on), services can also be stopped, started and paused using the Service Manager. Running stunnel from the Startup group is fine though, that way it will exit when you log off.
Maybe this post is off-topic but since we have been discussing stunnel in this thread I have a question regarding its use.
So one of my accounts allows me to establish both SSL and non SSL connections over port 25 of the smtp server. I can use the non SSL connection to send the mail and avast scans the outgoing e-mail.
If I now want to send over the SSL connection using stunnel the operation just times out or gives an error saying that the SMTP connection has been refused.
Now when I disable the avast mail scanner and try to connect to my smtp server over port 25 via SSL I get a certificate in the client asking me to either reject it or accept it temporarily for the current session or accept permanently. Once I accept it I am able to send e-mails via SSL over port 25 of the smtp server. However I am not very keen on disabling the mail scanner.
It therefore seems that the time out error or the server’s refusal to accept SMTP connections is because stunnel ignores the certificate.
Could t_r_davies or somebody else teach me how to accept certificates into stunnel?
I am using:
Thunderbird 0.9
Win XP
stunnel 4.05
Avast 4.5
t_r_davies,
Thanks for the info. I have a gmail.com account and it requires SSL, One problem I am having is when sending email. (I can recieve gmail.com email and avast is scanning and inserting the clean tag with out a problem)
my stunnel.conf file is:
client=yes
[gmail-pop3s]
accept=localhost:10110
connect:995=pop.gmail.com
[gmail-smtps]
accept=localhost:1025
connect:587=smtp.gmail.com
My avast4.ini:
[MailScanner]
IgnoreLocalhost=0
PopRedirectPort=110,1110,1120,10110
SmtpRedirectPort=25,215,225,1025
ShowTrayIcon=1
when I try to send, I get an error in Thunderbird that “connecting to SMTP server localhost failed”
The stunnel log file shows:
2004.11.25 23:21:20 LOG3[1960:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Any ideas?
Thanks,
Gordon
Try:
[gmail-smtps]
accept=localhost:1025
connect:587=smtp.gmail.com
protocol=smtp
Hi shatadal.
As far as I can see, stunnel can’t help you in this situation. It appears your mailserver is using STARTTLS to secure the connection, not normal SSL. STARTTLS is an extended SMTP command issued by the client to start a secure TLS (the successor to SSLv3) channel using the existing connection. By doing this, mail servers only need listen on one port (25) and be able to handle both secure and unsecure connections, instead of listening on port 25 for unsecure and port 465 for secure connections. This is now the IETF-recommended (I think) method of securing connections, and the same technique can be used for HTTP connections (possibly POP3 and IMAP as well, I’m not entirely sure). See RFC2487: http://www.ietf.org/rfc/rfc2487.txt.
Thanks, but get the same error that it can not connect to localhost:
Error from thunderbird:
“Sending of message failed.
An error occurred sending mail: Unable to connect to SMTP server localhost. The server may be down or bay be incorrectly configured. Please verify that your Mail/News account settings are correct and try again.”
stunnel Log:
2004.11.26 10:25:30 LOG5[2412:3940]: stunnel 4.05 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7e 25 Oct 2004
2004.11.26 10:25:30 LOG5[2412:2380]: WIN32 platform: 30000 clients allowed
2004.11.26 10:25:43 LOG5[2412:320]: gmail-smtps connected from 127.0.0.1:2009
2004.11.26 10:25:43 LOG5[2412:320]: Negotiations for smtp (client side) started
2004.11.26 10:25:44 LOG5[2412:320]: Protocol negotiation succeded
2004.11.26 10:25:48 LOG5[2412:320]: Connection closed: 18 bytes sent to SSL, 116 bytes sent to socket
Any Ideas?
Gordon