Evolution will not receive emails on high security setting

[wpshooter]

Can anyone tell me why it is that if I set the firewall on my Verizon D-link router to the HIGH setting
as opposed to the normal (recommended) setting, that I can not RECEIVE emails in Evolution email
client (however, if I attempt to receive the emails on Verizon's website client, the emails are received
fine).

Is there some way to receive emails in the Evolution client while the router firewall is set to the
highest setting ?

And yes, I have talked to Verizon about this and their only statement is that there is something wrong
with the email client "Evolution", are they correct ?

Thanks.

[JoeFootball]

Can anyone tell me why it is that if I set the firewall on my Verizon D-link router to the HIGH setting
as opposed to the normal (recommended) setting, that I can not RECEIVE emails in Evolution email
client (however, if I attempt to receive the emails on Verizon's website client, the emails are received
fine).

Given that you can use the web client and not the email client, I would guess that your router is allowing the web port (e.g., HTTPS 443), but its blocking the port for whatever email protocol you're using (e.g., IMAPS 993).

And yes, I have talked to Verizon about this and their only statement is that there is something wrong
with the email client "Evolution", are they correct ?

Does Evolution work ok when the router is set to the Normal setting? If so, then that's further evidence that the router is blocking the email client when it's on High. i.e., there's nothing wrong with the email client.

I would suspect that most home users don't leverage a formal email client, and therefore the High setting on the router blocks uncommonly used ports, such as those leveraged by email clients.

I'd also like to think that you could manually open the needed port in the router, while retaining the other aspects of the High setting.

Joe

[wpshooter]

Joe:

Thanks for your reply.

The Max security choice for router configuration says that for inbound it is REJECT but that can be overridden by remote administration settings,
however when I go to remote admin settings I see several ports choices like 80, 8080 but there is NO port setting for
995 - pop3 which is the inbound port being used by Evolution and Verizon for incoming mail.

And, yes, as long as I leave router configured at middle (recommended), i.e. not MAX, both outgoing and incoming email work fine on Evolution.

Thanks.

[JoeFootball]

And, yes, as long as I leave router configured at middle (recommended), i.e. not MAX, both outgoing and incoming email work fine on Evolution.

Then it's clearly (to me) the router blocking the port, and if you're using the secure version of POP3 as your email protocol, that's indeed 995.

With that in mind, I'd contact Verzion, tell them you'd like to use the Max setting, but open port 995. See what they say. It would be unfortunate if they only allowed a few preset ports.

EDIT: Just fyi, List of TCP and UDP port numbers

Joe

[wpshooter]

Joe:

I just did that, spent about 20 minutes on the phone, got zero answers, eventually after being put on hold
for about the 5th time, lost contact with the "support person" ha, ha ???

[redlined]

hi wpshooter!

If you provide a model number for that specific d-link router we'll likely be able to find how to fine tune the High security settings to allow outbound on port 995 (since secure POP3 is protocol setup in evolution mail client). As in your case this High setting on router firewall is interfering with common use port and protocol and in doing so breaks evolution's ability to deliver the goods... It may even be attempting some pseudo-deep StatefulPacketInspection (SPI) which can also break protocols used, especially on encrypted channels (like secure POP3). It may be a setting in router to disable SPI to see if that is muckin things up especially if opening ports for inbound isn't preferred or even doable in High security setting for that router.

I did want to mention "Inbound REJECT" is similar to how defualt setting for ip tables or UFW (if enabled) works in Linux in general. Your mail client (also web browser, downloaders, internet apps etc) connect OUT, and usually unmolested, on common ports and protocols. Once that outbound connection is established firewalls, in general, permit all data exchange and even dynamic port changes if implemented correctly.

There is rarely a common need for anything to connect IN (default block all Inbound sort of rules prevent this), some examples of Inbound to permit may include remote management (via SSH, VNC etc), active FTP (FTPS and SFTP included) but not the more commonly used passive FTP protocol, seeding torrents and other file-sharing may require inbound ports to be open. Hope ths helps!

[wpshooter]

Redlined:

It is a "D-Link DSL-2750B Board".

I am thinking that what I need to do is under the port triggering section of the Firewall section,
however, I am not exactly sure what all of the parameters should be for the various fields and
I am hesitate to start guessing.

Thanks.

[redlined]

Redlined:

It is a "D-Link DSL-2750B Board".

I am thinking that what I need to do is under the port triggering section of the Firewall section,
however, I am not exactly sure what all of the parameters should be for the various fields and
I am hesitate to start guessing.

Thanks.

hi wpshooter! Let me look around for some guides that cover that d-link (nothing I could find on skim of verizon was helpful at all

also, for what it's worth, avoid things like port-triggering/-knocking/-forwarding, at least for now.. I cannot think of a reason evolution would need any of that to get a pop3 secure channel opened and your emails downloaded. but I could also be very wrong on this point, lol

be back in a bit

[redlined]

Back!


Ok, i found the full user manual for your router (which by the way is old and vulnerable to current attacks, it may be time to rattle verizon cages and tell them provide you with another type altogether)

dsl-2750b-verizon manual, sister site to portforward.com download the manual from there (or direct link to PDF found on that page. Page 35 confirms JoeFootball's suspicion that High setting is blocking your outbound on 995 (secure POP3). IMO, it has a very sloppy generic firewall setting allowing all sorts of insecure protocols out, while blocking encrypted protocol ports (allows unencrypted protocols/ports for IMAP, POP3, SMTP, FTP, Telnet, really only allows one encrypted outbound, HTTPS

(High): Maximum Security High security level only allows basic Internet functionality. Only Mail, News, Web, FTP, and
IPSEC are allowed. All other traffic is prohibited.

(Medium): Typical Security Like High security, Medium security only allows basic Internet functionality by default.
However, Medium security allows customization through NAT configuration so that you can
enable the traffic that you want to pass.

While it does state all other traffic is prohibited (while in High mode) it might be possible to sneak by that restriction using Access Control (see page 36) or Advanced Filtering (see page 42) to get it done while keeping your router in High mode.

Otherwise, using Medium security is something you know works for evolution and to be frank, it is doing all you should rely on it for which is basic block of all (unsolicited) Inbound connections while allowing most if not all common use Outbound ports and protocols from your computer. Plus it allows for sure those access controls and advanced filtering rules and starts to function as a normal NAT router with simple firewall at that point.

You can manage port and application permissions and blocking using UFW which is a simple tool with a simple interface that can be tweaked much easier than relying on an old d-link router provided by your internet provider. I use starpage for searches (they pull from google so it would be the same, minus targeted ads) but if you search for that router "D-Link DSL-2750B" you will see this past year quite a few hits showing it is old and susceptible to metasploit and the satori worm because of two year old vulnerabilities... This is a one day patch it sort of exploit, sadly requires flashing the router with new firmware to fix- and it may serve better to flash it with openwrt based versions than d-link central provided stuff that will hide true capabilities of routers.

edit to add: security logs (see page 44) may help troubleshoot further if you attempt to stay in High setting while using access controls or advanced filtering

[wpshooter]

Redlined:

You say "that router "D-Link DSL-2750B" you will see this past year quite a few hits showing it is old and susceptible to metasploit and the satori worm because of two year old vulnerabilities".

Are those something that are damaging to only systems using MS$ OS or can they attack / damage any OS including Linux Mint ?

Thanks.

Hmmmm, looking at this

https://www.symantec.com/security-cente ... 15-5207-99

I am thinking the answer is it can attack Linux systems, am I correct ? Thanks.

And further, the Verizon (again "tech support") says that there is nothing to worry about using the 2750B but
this link, good old Toms Hardware tells me that Verizon does not know what they are talking about.

https://www.tomsguide.com/us/dlink-rout ... 27482.html

Thanks for your help.

[redlined]

Redlined:

You say "that router "D-Link DSL-2750B" you will see this past year quite a few hits showing it is old and susceptible to metasploit and the satori worm because of two year old vulnerabilities".

Are those something that are damaging to only systems using MS$ OS or can they attack / damage any OS including Linux Mint ?

Thanks.

Hmmmm, looking at this

https://www.symantec.com/security-cente ... 15-5207-99

I am thinking the answer is it can attack Linux systems, am I correct ? Thanks.

And further, the Verizon (again "tech support") says that there is nothing to worry about using the 2750B but
this link, good old Toms Hardware tells me that Verizon does not know what they are talking about.

https://www.tomsguide.com/us/dlink-rout ... 27482.html

Thanks for your help.

hi wpshooter!

That satori worm is a router only exploit that OS Linux is not vulnerable to, rather the stripped kernel used for the firmware and/or the engine you use to access settings. Once the router is infected however, all sorts of mischief can be implemented including seeking vulnerabilities on your internal network computers/phones/IoT, etc, rerouting all traffic out from router through their proxy (for capture/log unencrypted channels filtering for user/pass in plain text, etc) or most likely scenario of using the router in large scale botnet attacks (denial of service) or support cryptocoin mining. These last two can have drastic effect on your own quality of internet, especially speeds and if you have a metered connection or data caps you might find your (e.g. 1TB/month) allowance used up in a matter of days instead of weeks.

Not meaning to spread FUD (fear, uncertainty, doubt) but in case that router is not flashed to new version of patched firmware then it is indeed vulnerable and I'd say verizon is full of it. The question becomes, is verizon sure it's fixed (they pushed the update to patch router unbeknownst to you, since it is a verizon branded router with custom firmware, the ball is in their court!), is customer service even trained to know the difference (they sounded pretty flaky trying to help you on this issue), or are they ignoring it thinking they have malware control down and as your internet provider there is nothing to worry about (or ignoring it as a less not worth the cost of fix, profit margin always first, regardless the customer desire for security/privacy).

For sure see if router firmware is older than December 2016 (when vulnerability was exposed in this router) and if it is I'd demand a new DSL modem/router from them or look seriously at returning their product (if you rent it monthly) after purchasing your own DSL modem and router (I'd get separate pieces, with router getting the bigger chunk of budgeted for network upgrades)

I'd use the "insecure" argument with verizon in demanding a replacement for vulnerable router as you've established already with their customer service a desire for High security which fails to allow common encrypted POP3S (port 995, refuse unencrypted POP3 as a compromise option you will consider) and that with your required mail client use its not possible to allow 995 out while maintaining a safe (High) security profile at router to protect your home network. It's certianly worth trying. I've left internet service providers for much less reason, and whether they care or not (I am just one customer, after all) I rest better at night knowing my money spent is providing me what I want, not what they can get away with providing, protecting profits over users.

Do attempt them access controls though, say allow outbound port 995 24o7, while in High security setting. If it doesn't work, set back on medium, where it states it's the same as high for outbound (but obviously is not the same) and you can set block all outbounds and fine tuning outbound port permissions with the Advanced filtering page (block all in and out, then add allow out ports 53 (DNS), 21 (FTP, if used), 80 (HTTP), 443 (HTTPS), 465 (SMTPS) 995 (POP3S) and other ports you know are desired, such as for torrents, streaming audio/video, irc/chat clients, ssh/vpn, etc..

Really the best tool for sorting what is happening is block all then add one by one rules in advanced filtering as you see them in the router security log- that will tell what each device on network is trying to connect outbound on which port (blocked), hence the port you need outbound rule for is identified correctly for the application or service you use. You could easily lock it down further by device on network using static IP allows, by port, and set that static IP on system, rather than DHCP assigned. Tons of paranoid (they really are out to get me ) tips like that I could share but most grew from concerns over M$ vulnerabilities which vanilla out of the box Linux installs are immune to, so a majority of concerns don't even apply and good net hygiene habits and practices go further in protecting users than most other software and hardware nannies.

Lot of chatter in my above response, do forgive my wordiness! and I hope some of it helps!

[wpshooter]

Redlined:

Verizon says that they are supposedly auto updating the firmware on the D-link, however, when I see a release date
on the configuration interface of way back in year 2013, that tells me that either they are not doing so or more probably
that there are not (and are not going to be) any updated firmware for this router.

I switched to an Actiontec GT784WNV today and there was available a firmware update newer than the one that came
from factory on the router, I applied that manually after waiting a while to see if it would be updated automatically.

However, in some ways the Actiontec is worse because if I try to change the firewall setting on it from NAT to HIGH
afterwards I can no longer send or receive emails, can not even access the Internet and even can not get back into
the router interface to change the firewall setting back to NAT except by manually going back to all default settings
via hardware button. I have not yet tried to see if things will work on one of firewall settings less than HIGH. Might
try that tomorrow. Am thinking IF (and that is a big IF), I knew exactly which of the various services to set the incoming
and outgoing permissions, I might be able to get it to work but my guess is that those settings would probably be the
same as either the LOW or MEDIUM firewall choices.

Thanks.

[redlined]

hey wpshooter

yah, that 2013 date is the teller, the bug is 2 years old (2016), they didn't fix nothing, so busted
and bummer the new modem+router combo (I take it) is being ornery, however, take a good look for and at any router logs, it will definitely show you what is getting blocked (port) from which device (computer IP address). That's all you need to go in and set it to medium, then see if custom rules can be set. start with block all, then allow outbound for the following ports/port ranges and just allow out those ports you see blocked in logs, further restrict things by using static IP address for all device on network and allow outbound to IP as well by port. That's plenty more than enough to protect even a vulnerable network, which you really don't worry as long as there is no threat unpatched for long at modem/router level of entry/exit.

It was a good discussion Wp, thanks! I learned some things too. Always good

[wpshooter]

Redlined:

I did more trial and error this morning and I think I have it set so that it works.
Don't ask me why (maybe you can tell me) but seems the only difference in
the MEDIUM firewall choice and the HIGH firewall choice is that the high
choice turns off both incoming and outgoing on DNS service - everything else
on medium and high seem to be the same.

So what I did was I chose medium firewall setting and then unchecked the
incoming function for all of the ICMP services and now I can both get
to the Internet, open the router interface when I want to and send and receive
emails on my Evolution client.

This is on/with the Actiontec router.

Thanks for your help.

[redlined]

hi wpshooter!

That sounds like a safe compromise for sure, glad you got it working!