First Time: Comodo Possibly Miss

Comodo Internet Security - CIS Firewall Help - CIS
#1

Hi,

I’ve been using CIS (or previously Comodo Firewall) for several years. So far, it is the best firewall, much better even than major commercial ones – it is just simply ONE LEVEL UP than others in the industry.
Also CIS works on Windows servers and 64 bits, and free – despite there are some wishes from me for the firewall, such as an more easier real time network traffic monitor.

But recently, when I installed an application called hMailServer (http://www.hMailServer.com), the first time, Comodo firewall missed capturing the hMailServer’s internet connections for sending out messages.

I configured Comodo Firewall for hMailServer application with allowing both IN and OUT for POP3, SMTP and IMAP ports and blocking all other connections for hMailServer.

For every actions(either allowing or blocking) of firewall for every application, I enabled logging. So whatever the hMailServer is allowed to connect to internet or blocked from connecting to internet, the log information should be there.

The situation is: there is NO any logging information showing up when hMailServer sends email messages out – likely Comodo Firewall missed capturing the connections. But incoming connections to hMailServer application are captured by Comodo Firewall.

Please note: I disabled ALL Windows internal firewalls on the Win server 2k8 host machine.

Strange thing is:
If the Comodo firewall was on since the machine started, the hMailServer CAN NOT send messages out – there is no Comodo Firewall logging showing this connection either allowed or blocked.
If I disable the Comodo Firewall, the hMailServer immediately CAN SEND messages out to outside email accounts – but STILL NO LOGGING information for this connection.
Now I enable Comodo Firewall again, hMailServer STILL CAN SEND messages out until machine is shutdown and restarts – but STILL NO LOGGING information for this connection.

I asked the hMailServer site guys and they seemed not able to figure it out.

As Comodo Firewall normally is reliable and configurable for 100%, this sudden miss makes the security still an issue – it seems that there are some possible hiden channels out there.

Could someone help this out.

Maybe a good way is, install the hMailServer and test.

#2

What version of CIS are using? Notice that CIS was not build and tested for Win Server 2k8. That being said it appears to be possible to make CIS run on Server OS environments.

#3
What version ...
5.0.163652.1142
CIS was not build and tested for Win Server 2k8. That being said it appears to be possible to make CIS run on Server OS environments.
Very regret. When 64bit CIS came, naturally thought servers inclusive :). Using server 2k8 internal firewall, hMailServer's sending actions are captured and logged -- but without enough detailed info like CIS provides. A wish though: so far, CIS already goes that far -- mean pretty good on win servers. If that one could be fixed, we guys will really cheer. Thank You
#4

Can you show the application rule you made for the email program?

#5

I am an engineer of COMODO, I have tried to reproduce the issue. but can’t success. Below is my detailed reproduced steps:

  1.   Install Windows Server 2008 (x64bit);

  2.   Install and configure HmailServer, and create two accounts, one for local machine, one for another machine(Windows XP);

  3.   Install CIS 1142, reboot machine;

Add two rules for application HmailServer, first rule: allow any communication whose destination port is 110,Second rule: Block all IP data packet, both with logging information flag set on;
4) Configure email account with firefox in two machine;
5) Send email each other.

Test Result: The network events all are captured. The issue does not occur.

Please review my test steps, if find any question, fell free to send email to me!

#6

Hi grt,

Based on same test steps, we have tried CIS version 5.1.173720.1193 and version 5.3.176554.1234, and issue is not still reproduced.

Please update latest version and verify the issue.

If you have any question, please send message to me!

#7

Hi Rick,
Thanks for your efforts on the experiments.

Based on same test steps, we have tried CIS version 5.1.173720.1193 and version 5.3.176554.1234, and issue is not still reproduced. Please update latest version and verify the issue.
I uninstalled my old version (5.0.163652.1142) and clean installed newest version 5.3.176757.1236. Exactly the same result to using old version 5.0.163652.1142.
Install CIS 1142, reboot machine; Add two rules for application HmailServer, first rule: allow any communication whose destination port is 110,Second rule: Block all IP data packet, both with logging information flag set on;
Not port 110, port 25 instead -- also note: for sending out, not receiving -- receiving is captured.
4) Configure email account with firefox in two machine; 5) Send email each other.
Not between two internal mail accounts with one hMailServer -- is an internal account sending message out to an external email accout.
Test Result: The network events all are captured. The issue does not occur.
This is not clear. Port 110 action is captured. Port 25 for receivings are also captured. Problem is on sending out action. If you captured sending out action, the captured log info should show the remote (or destination) port is 25.

Please review my topic post.

Actually, there are two problems for this case. I put them together:

  1. CIS naturally blocks hMailServer sending out – by “natually” I mean
    when the host server starts and CIS enabled, CIS would block smtp sending out action.
    But there is NO ANY logging info for such a block – hMailServer shows message external
    “server refused”

  2. When I disable the CIS firewall, then hMailServer WILL send out emails to
    external email accounts – Received emails on the external email accounts and hMailServer
    log shows external servers receive the messages.
    But, CIS log STILL DOES NOT show this action
    (Edit: my copy-paste error – NO log if firewall disabled)

  3. Then when I RE-ENABLE the Firewall again, hMailServer CAN STILL send message out.
    But, CIS log STILL DOES NOT show this action
  4. Note: in my CIS configuration, all actions for any programs, either allowing or blocking, are
    log enabled. And, I do not use Global Rules – all deleted.
    Thus, what ever any applications, for whatever being blocked or allowed, there should be a
    log info for that – but for hMailServer’s sending out, NO.
  5. My process of sending email from an internal account to an external account:
    – There is an email account ‘test’ on the interanl server hMailServer – internal account.
    – Want to send a message from the internal account ‘test’ to an external email account,
    say ‘test123[at]gmail’.
    – Use Outlook Express (of cause, account ‘test’ should be set up on Outlook Express) to
    connect the internal mail server hMailServer – different machines on internal network.
    The connection to host server port 25 (for smtp) was captured by CIS
    hMailServer log shows this action.
    – Then hMailServer sends that message to an external email server, say gmail.com:
    a) If CIS natually started (started since host server started), then external email account
    WOULD NOT receive any message.
    CIS’s log DOES NOT show this action – whatever allowed or blocked.
    hMailServer log shows remote server ‘refused’ the connection.
    b) If CIS firewall is then disabled, then the external email account receives messages.
    CIS’s log DOES NOT show this action – which actually is successful.
    (Edit: my copy-paste error – NO log if firewall disabled)
    =================================
    hMailServer log shows remote server received this message.
    c) If CIS firewall is then RE-ENABLED, the external email account CAN STILL receive
    messages.
    CIS’s log DOES NOT show this action – which actually is successful
    hMailServer log shows remote server received this message

dunson

#8

Hi dunson,

Thanks for your kindly help!

Our guy try to reproduce the issue based on your description, but can’t set up environment like yours, we encounters some difficuty. Below is the question about configuration, please help me answer it.

Please tell me your configuration with hmailserver , I installed hmailserver on windows server 2008 64-bit OS, when I configure the hmailserver Settings->protocals->SMTP->delivery of e-mail->smtp relayer with “smtp.gmail.com” and port is “465” , I can send e-mail with internal account to external account (like xxxx@126.com) ,but if I use other mailserver with port ”25” ,the e-mails can not be sent out ,with the error “authentication is required”. I can assure whether there is something wrong with my configuration ,So could you tell me the details of your configure .

#9

Hi Rick,
Sorry for bit late reply – didn’t see your post.

when I configure the hmailserver Settings->protocals->SMTP->delivery of e-mail->smtp relayer with “smtp.gmail.com” and port is “465” ,...
To make it simple, and if your ISP does not block smtp port(25), it's suggested NOT to use relayer -- just leave this box blank. And also, for this testing, just use plain smtp and Not Use SSL.
but if I use other mailserver with port ”25” ,the e-mails can not be sent out ,with the error “authentication is required”. I can assure whether there is something wrong with my configuration ,So could you tell me the details of your configure .
Open hMailServer's administration program. Go to 

    Settings  --> Advanced --> IP Range --> Internet

On the right panel, in section “Require SMTP authentication”:
Make sure “External to local e-mail addresses” UN-CHECKED – this is where your error “authentication is required” from.
Make sure other three option boxes are CHECKED.

Also on the same panel, in section “Allow deliveries from”:
Make sure all four option boxes are CHECKED.

Very glad seeing you are taking actions for this issue.

dunson

#10

Hi grt , this is COMODO Firewall team

I configured Comodo Firewall for hMailServer application with allowing both IN and OUT for POP3, SMTP and IMAP ports and blocking all other connections for hMailServer.
Through debugging the hmailserver.exe , we found that before sending an e-mail to external account the Hmaliserver.exe create a connection from “0.0.0.0” to “127.0.0.1” ,we did not know the purpose of hmailserver creating this connection ,if you blocked this connection ,hmailserver will not send e-mail out ,you blocked “all other all other connections for hMailServer.” That is why “If the Comodo firewall was on since the machine started, the hMailServer CAN NOT send messages out”, then you disable the COMODO firewall ,this connection could be set up ,so you can send messages out . after this you enabled COMODO firewall ,because the connection between “0.0.0.0” and “127.0.0.1” has been established ,so , ”hMailServer STILL CAN SEND messages out until machine is shutdown and restarts”.
but STILL NO LOGGING information for this connection.

There is a const time interval in core portion of firewall ,and this value is 1.5s ,to avoid the log items increasing too fast ,every at least 1.5s interval we add one log information to the “firewall events” box ,so we might lose some information between this 1.5s interval time .but all the packets have been already processed by your rules in Firewall core ,just few log items have not displayed in the “firewall events” box.

Suggestion : you can add another rule with “action : allow ,protocol : TCP/UDP ,direction : IN/OUT ,source address : 0.0.0.0 ,destination address : 127.0.0.1 ,source port : any ,destination port : any ” to the hmailserver.exe ,and make sure this rule overlaying the rule blocking all other connections for hmailserver.