Solved

POP TLS connection stalls when AVG mail scanner running

Posted on 2009-05-05
6
1,155 Views
Last Modified: 2013-11-22
Request: Can anyone help me setup my AVG email scanner to work with Thunderbird accessing an email account that uses TLS?

Environment:
OS - Windows Vista Ultimate
Anti-virus: AVG Free 8.5.325
Email Client: Mozilla Thunderbird 2.0.0.2i
Email sever: Zimbra POP3 server - over which I have very little control, but if someone can tell me any setting that need to be adjusted on the server I can submit a request.

Problem: I  installed AVG Free three days ago.  Since then I have noticed that one of my email accounts has not being receiving mail - this particular account negotiates a TLS connection and have realised that since installing AVG, the email client connects to the server but never gets past the TLS connection.  Eventually (after 600 seconds) the TCP connection dies.  If I turn off the email scanner options in AVG free, the mail client connects normally and terminates normally (after downloading mail if any)
Below are two TShark dumps, with the mail server IP replaced by x.x.x.180.  The first examples shows a successful connection with the email scanner activated.  The second shows the same connection WITH the email scanner de-activated.

Additional Information:
Thunderbird server settings:
Server Type: POP Mail server
Server name: mail.x.x.x.com Port 110
User Name: me@x.x.x.com
Security Settings: Use Secure connection TLS, if available
Use Secure authentication:- NOT selected
Server settings: No sever settings selected

Thunderbird Security settings:
No certificates or Encryption options selected.

With AVG Email scanner active: (Note 600 seconds of inactivity after packet 8)

  0.000000  192.168.1.225 -> x.x.x.180 TCP 49460 > 110 [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=2 TSV=17385299 TSER=0

  0.256385  x.x.x.180 -> 192.168.1.225 TCP 110 > 49460 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1452 TSV=3514443520 TSER=17385299 WS=7

  0.256488  192.168.1.225 -> x.x.x.180 TCP 49460 > 110 [ACK] Seq=1 Ack=1 Win=17472 Len=0 TSV=17385325 TSER=3514443520

  0.512457  x.x.x.180 -> 192.168.1.225 POP Response: +OK webmail.fireflycom.net Zimbra POP3 server ready

  0.517997  192.168.1.225 -> x.x.x.180 POP Request: CAPA

  0.777562  x.x.x.180 -> 192.168.1.225 TCP 110 > 49460 [ACK] Seq=54 Ack=7 Win=5888 Len=0 TSV=3514443650 TSER=17385351

  0.777925  x.x.x.180 -> 192.168.1.225 POP Response: +OK Capability list follows

  0.973338  192.168.1.225 -> x.x.x.180 TCP 49460 > 110 [ACK] Seq=7 Ack=163 Win=17308 Len=0 TSV=17385396 TSER=3514443650

600.800473  x.x.x.180 -> 192.168.1.225 TCP 110 > 49460 [FIN, ACK] Seq=163 Ack=7 Win=5888 Len=0 TSV=3514593650 TSER=17385396

600.800562  192.168.1.225 -> x.x.x.180 TCP 49460 > 110 [ACK] Seq=7 Ack=164 Win=17308 Len=0 TSV=17445379 TSER=3514593650
 
 
 

No Email Scanner Active: Note whole transaction complete in 5 seconds

  0.000000  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=2 TSV=17365859 TSER=0

  0.257058  x.x.x.180 -> 192.168.1.225 TCP 110 > 49454 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1452 TSV=3514394921 TSER=17365859 WS=7

  0.257162  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [ACK] Seq=1 Ack=1 Win=17472 Len=0 TSV=17365884 TSER=3514394921

  0.513003  x.x.x.180 -> 192.168.1.225 POP Response: +OK webmail.fireflycom.net Zimbra POP3 server ready

  0.703620  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [ACK] Seq=1 Ack=54 Win=17416 Len=0 TSV=17365929 TSER=3514394985

  1.019210  192.168.1.225 -> x.x.x.180 POP Request: AUTH

  1.311944  x.x.x.180 -> 192.168.1.225 TCP 110 > 49454 [ACK] Seq=54 Ack=7 Win=5888 Len=0 TSV=3514395176 TSER=17365961

  1.312291  x.x.x.180 -> 192.168.1.225 POP Response: -ERR mechanism not specified

  1.316545  192.168.1.225 -> x.x.x.180 POP Request: CAPA

  1.682771  x.x.x.180 -> 192.168.1.225 POP Response: +OK Capability list follows

  1.691405  192.168.1.225 -> x.x.x.180 POP Request: STLS

  1.947000  x.x.x.180 -> 192.168.1.225 POP Response: +OK Begin TLS negotiation

  1.960657  192.168.1.225 -> x.x.x.180 POP Request: \026\003\001\000\226\001\000\000\222\003\001\000\002\245\225 \311\026\355\220\232|\250\f%\323\264\366b|\271\207h\370E\036w\303[~\030\002u\000\0008\300

  2.228589  x.x.x.180 -> 192.168.1.225 POP Continuation

  2.231638  x.x.x.180 -> 192.168.1.225 POP Continuation

  2.231692  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [ACK] Seq=174 Ack=2716 Win=17472 Len=0 TSV=17366082 TSER=3514395412

  2.491021  x.x.x.180 -> 192.168.1.225 POP Continuation

  2.493185  x.x.x.180 -> 192.168.1.225 POP Continuation

  2.493266  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [ACK] Seq=174 Ack=4925 Win=17472 Len=0 TSV=17366108 TSER=3514395479

  2.502879  192.168.1.225 -> x.x.x.180 POP Request: \026\003\001\000f\020\000\000b\000`\316vV;\355\273\263\322\346\330\330\366jS?\374\276,\367\261\316\355\355\017\211\324`\017\226\254\222\244\345\261\337,D,\3032%\337k\3667\206a\314A\225X\303\333\267\350\362'\301\2275\214\265J'A\341m\353v\340_9?\303\333Zh\246\244\v\362Ej\324qr\004\252\376\213G\270>\352\241m\024\003\001\000\001\001\026\003\001\0000GX#\030E\243\373\277\024|\214~\035\036\032h\215\273\273\234\016\341\217:\265\243rz\a\270*E\306\276\276;\301\234\2718[\217r\353\260\365\231\323

  2.765868  x.x.x.180 -> 192.168.1.225 POP Continuation

  2.964752  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [ACK] Seq=340 Ack=4931 Win=17464 Len=0 TSV=17366155 TSER=3514395548

  3.227486  x.x.x.180 -> 192.168.1.225 POP Continuation

  3.229354  192.168.1.225 -> x.x.x.180 POP Request: \027\003\001\000 \342F\367T\203\213\354\177

  3.486224  x.x.x.180 -> 192.168.1.225 POP Continuation

  3.489983  192.168.1.225 -> x.x.x.180 POP Request: \027\003\001\000 MJ

  3.746227  x.x.x.180 -> 192.168.1.225 POP Continuation

  3.750814  192.168.1.225 -> x.x.x.180 POP Request: \027\003\001\0000\374PT\353

  4.007085  x.x.x.180 -> 192.168.1.225 POP Continuation

  4.021543  192.168.1.225 -> x.x.x.180 POP Request: \027\003\001\000@\031\2526\370\355\264\212\305\332\002\246\316\242+\353E\023U\341\242C(M\303\332\240\347~_\225\225`\271\205\262{h[\322\256\362#\372\004V[\316\022\312\334>\230\027c}\310F\326\037\236*\276\316\017

  4.284250  x.x.x.180 -> 192.168.1.225 POP Continuation

  4.301080  192.168.1.225 -> x.x.x.180 POP Request: \027\003\001\000 \375\036\343\331\2275\225M\311\222\261\202\334\302\346Zk\275\002\361\340\271;#cX1\025\004\272/\025

  4.558686  x.x.x.180 -> 192.168.1.225 POP Continuation

  4.585215  192.168.1.225 -> x.x.x.180 POP Request: \027\003\001\000 sy\324D\031\336\376P\340\225c\307\214\032\332\356\255T\027fo\362\333\3020Y\020\205P\237\344\305

  4.841129  x.x.x.180 -> 192.168.1.225 POP Continuation

  4.841541  x.x.x.180 -> 192.168.1.225 POP Continuation

  4.841606  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [ACK] Seq=610 Ack=5468 Win=16928 Len=0 TSV=17366343 TSER=3514396067

  4.854393  192.168.1.225 -> x.x.x.180 TCP 49454 > 110 [FIN, ACK] Seq=610 Ack=5468 Win=16928 Len=0 TSV=17366344 TSER=3514396067

  5.112080  x.x.x.180 -> 192.168.1.225 TCP 110 > 49454 [ACK] Seq=5468 Ack=611 Win=7936 Len=0 TSV=3514396135 TSER=17366344

Open in new window

mail-working.txt
mail-not-working.txt
0
Comment
Question by:red_nectar
  • 3
  • 3
6 Comments
 
LVL 16

Expert Comment

by:warturtle
ID: 24305391
Do you have any firewall installed??
0
 
LVL 4

Author Comment

by:red_nectar
ID: 24308785
No firewall - and a correction regarding the code snippet - corrections in BOLD:
The first examples shows a FAILED connection with the email scanner activated.  The second shows the same connection WITH the email scanner de-activated.
0
 
LVL 16

Accepted Solution

by:
warturtle earned 500 total points
ID: 24308860
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 4

Author Comment

by:red_nectar
ID: 24321877
Open the AVG Free User Interface application
Select Tools->Advanced settings (See diagram below)
In the list on the left hand side, select E-mail Scanner->Servers.  On the right hand side you will see a button to [Add new server]
Click on the [Add new server] button, and give the server a name (eg mail.example.com) and leave the type as POP3
Now this is where things get tricky, (because of a bug in the AVG interface).  We actually want to specify the Type of Login as USER/COMPUTER, but (here's the bug) if you select the USER/COMPUTER option right now, you won't be able to type in your user/computer details at the prompt. So, the work-around is to select Type of login as Fixed host, enter a host as user/server:port (eg red_nectar/mail.example.com:110) THEN select Type of login as USER/COMPUTER.
In the Additional settings section, leave the local port as 10111 and set the Connection to SSL default.
Finally , make sure that under the E-mail client POP3 server activation, the checkbox is ticked to Activate this server and use it for receiving e-mail
Now, in Thunderbird, select Tools-> Account Settings, and for the account you want AVG to scan, select the Server Settings option in the left hard window. (See other diagram below). In the right hand window, set the Server Name: to 127.0.0.1 and the Port to 10111 (to match the settings in AVG free).  Enter your User Name: in standard format (eg red_nectar@example.com) and under security settings, select TLS, if available.
The next time you check for mail, you should be prompted for your password, and so long as you get that right, you shoulod find that your email gets scanned and then ends up in your inbox where you wanted it.

serversettings-avgfree.jpg
serversettings-thundrebird.jpg
0
 
LVL 4

Author Comment

by:red_nectar
ID: 24321898
Thanks for the lead warturtle - it put me on the right path to come to a solution which I have posted above in case anyone else needs to repeat the exercise.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24323526
Thats good stuff, I am adding it to my knowledgebase so that I can help others in a similar situation. Thanks for the feedback and the points.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now