Overview
Unable to update the anti-phishing definitions over HTTPS. Ports are not blocked and the download URLs are allowed through the firewall. The update generates the error:
The automatic Anti-Phishing updates have failed # consecutive times in the last # minutes.
If tracing is enabled, the ..\GFI\MailEssentials\Antispam\DebugLogs\audldownload.txt
logfile shows the following:
2020-01-04,09:30:14,335,0,"#00003f8c","#00003ea4","error ","audldownload","Failed to send https request: 12007"
2020-01-04,09:30:14,342,0,"#00003f8c","#00003ea4","error ","audldownload","The server name or address could not be resolved"
2020-01-04,09:30:14,342,0,"#00003f8c","#00003ea4","error ","audldownload","Failed conecting to HTTP"
Solution
The download of the anti-phishing definitions takes place over a secure connection (HTTPS). In a default installation, if this connection fails, the definitions cannot be updated.
As a workaround, please follow the steps below:
Configure .NET Framework to support strong cryptography
Since SSL has been retired in favor of TLS, we must configure the installed .NET Framework to support strong cryptography.
Open a new PowerShell window as Administrator and run the following commands:
On a 32 bit operating system (x86):
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
On a 64 bit operating system (x86_64):
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NetFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
Ensure that updates can go through
GFI MailEssentials can be configured to fall back to HTTP, in case a secure connection cannot be established. The procedure is described in the Setting MailEssentials to use HTTP to download updates article.
This connection issue is an environmental problem and is not related to GFI MailEssentials. Although these workarounds are in place, it is advised to investigate your environment for what is preventing the establishment of a secure connection.
Testing
After enabling strong encryption and allowing the fall back to HTTP, the updates are working as expected.