Overview

When Kerio Connect retrieves emails from a remote POP3 mailbox, the traffic passes through any firewalls on the network path. If a firewall runs an Intrusion Prevention System (IPS) or Deep Packet Inspection (DPI) engine, it may inspect the content of POP3 transfers in real time. Certain attachment types — particularly PDFs containing embedded JavaScript or form elements — can trigger IPS rules that silently drop the packets mid-transfer. This causes Kerio Connect's POP3 client thread to hang indefinitely, blocking all subsequent POP3 retrieval attempts.

This article explains how to diagnose the issue and provides resolution steps applicable to any firewall, with Kerio Control used as a concrete example.

Symptoms

• POP3 retrieval from a remote mailbox hangs after successfully connecting and authenticating.
• The Kerio Connect debug log shows the message is identified and retrieval begins, but never completes:

  {pop3c} Retrieving message no. 1, UID: UID22-1769764693 from mail2.example.com.

• Subsequent scheduled POP3 runs report:

  {pop3c} Receiving already in progress.

• The issue occurs only with specific emails — typically those containing PDF attachments with embedded JavaScript or form elements.
• Other emails (including those with different PDFs) download successfully.
• Manual POP3 retrieval via telnet from a machine not behind the firewall succeeds without issue.
• Disabling Kerio Connect's built-in antivirus, antispam, and attachment filters does not resolve the problem.

Cause

Many firewalls and UTM appliances — including Kerio Control, Fortinet FortiGate, Sophos, pfSense (Snort/Suricata), and others — include an IPS/DPI engine that inspects traffic in real time. These engines use signature-based rules to detect and block potentially malicious content passing through the network.

When POP3 traffic contains an email with an attachment that matches an IPS rule, the firewall may silently drop the packets mid-transfer. From Kerio Connect's perspective, the TCP connection stalls — the POP3 client thread hangs waiting for data that never arrives, and all subsequent POP3 polling attempts are blocked with "Receiving already in progress."

A common trigger is PDFs containing embedded JavaScript or form elements. For example, the widely-used Emerging Threats rule set includes:

Rule ID: 1:2014154
Description: ET INFO PDF Containing Subform with JavaScript

This rule is present in Kerio Control, Snort, Suricata, and other IPS engines that use the ET rule set. It frequently causes false positives because many legitimate business documents (invoices, interactive order forms) contain PDF forms with JavaScript that match the broad signature.

Resolution

Step 1: Identify the Firewall Causing the Block

Determine whether a firewall with IPS/DPI is sitting between Kerio Connect and the remote POP3 server:

1. Test POP3 retrieval from a machine that bypasses the firewall (e.g., via telnet to port 110 on the remote server from outside the network). If the message downloads successfully, a network-level appliance is interfering.
2. Check the IPS or security event logs on your firewall for dropped or blocked packets matching the remote POP3 server's IP address and port 110 (or 995 for POP3S).
3. Look for rule hits referencing attachment content — common culprits include rules in the ET INFO category such as rule 1:2014154 ("PDF Containing Subform with JavaScript").

Step 2: Resolve the IPS Block on Your Firewall

The general approach is the same regardless of firewall vendor: either disable the specific IPS rule that is triggering, or create an exception for POP3 traffic. Below are the general options followed by a Kerio Control-specific example.

Option A: Disable or Downgrade the Specific IPS Rule (Recommended)

General approach: In your firewall's IPS/IDS management interface, locate the rule that triggered (e.g., rule 1:2014154) and either disable it or change its action from Drop to Log Only / Alert. This preserves IPS protection for all other traffic while allowing legitimate PDFs through.

Kerio Control example: Configuring Ignored Intrusions - KerioControl 

You can confirm the block beforehand by checking Logs > IPS for entries like:

IPS: Packet drop, severity: High, Rule ID: 1:2014154 ET INFO PDF Containing Subform with JavaScript,
proto: TCP, ip/port: <remote_server_ip>:110 -> <kerio_connect_ip>:<port>

Option B: Create an IPS Exception for POP3 Traffic

General approach: Add a rule exception or bypass that excludes POP3 traffic (port 110/995) between the remote mail server and your Kerio Connect server from IPS inspection. This limits the exception to a narrow traffic scope.

Kerio Control example: Configuring Protocol-Specific Intrusions - KerioControl 

Option C: Temporarily Disable IPS (Emergency Only)

If you need to unblock the stuck message immediately:

1. Disable IPS/DPI on the firewall temporarily.
2. Trigger a manual POP3 retrieval in Kerio Connect to download the stuck message.
3. Re-enable IPS immediately afterward.

This is not recommended for production environments and should only be used as a short-term measure.

Step 3: Clear the Stuck POP3 Session

After resolving the IPS block, the stuck POP3 thread may persist until the service is restarted:

1. Restart the Kerio Connect service, or wait for the stuck thread to time out naturally.
2. Verify that POP3 retrieval resumes by checking the debug log:

   {pop3c} Processing account 'user@example.com' on 'mail.example.com'
   {pop3c} Retrieving message no. 1 ...
   {pop3c} Message delivered to user@example.com

Additional Information

• Kerio Connect's own antivirus, antispam, and attachment filter settings do not affect POP3 retrieval — these only apply to SMTP-delivered messages. See Configuring POP3 for Remote Emails and Applying Sorting Rules in Kerio Connect for details.
• If the same Kerio Connect version on a different server (not behind the firewall) retrieves the same message successfully, it strongly suggests a network-level appliance is interfering.
• Consider reviewing other high-severity IPS rules that may affect legitimate email traffic, particularly rules in the ET INFO category.

FAQ

Q1: How can I tell whether the POP3 hang is caused by a firewall or a Kerio Connect bug?
A1: Test POP3 retrieval from a machine that bypasses the firewall (e.g., via telnet to port 110 on the remote server from a different network). If the message downloads successfully, the issue is network-level. Then check your firewall's IPS/security event logs for dropped packets matching the remote POP3 server IP and port.

Q2: Will disabling IPS rule 1:2014154 create a security risk?
A2: This rule flags PDFs containing JavaScript subforms, which are common in legitimate business documents (invoices, order forms). Disabling this single rule has minimal security impact, especially if your endpoint security (antivirus on workstations) is active. Alternatively, use Option B to limit the exception to POP3 traffic only.

Q3: The POP3 retriever is still stuck after I fixed the IPS rule. What should I do?
A3: The stuck POP3 retrieval thread may persist until the Kerio Connect service is restarted. Restart the service, then trigger a manual POP3 retrieval from Configuration > Delivery > POP3 Download > Receive Now to confirm the fix.