Thomas Thanks for your replies on this but I don't totally understand why its not actually an issue. I understand that the connection between EXIM and ASSP doesn't matter at all.
Doesn't the connection between the Sender and then server use SSLv3? And this connection presumable traverses a few routers before it gets to my server? If that's the case would it not then be possible (I know its still highly unlikely) for this to occur? I assume I am missing something so your clarification would greatly help Also when I set the connection to TLS, incoming messages that for some reason are still using sslv3 just failed altogether they didn't get downgraded and nothing got logged about them. Would this be an acceptable format for the SSL settings: TLSv1:SSLv2/3:!SSLv2 With this would connections try to use TLS first? Thanks! John -----Original Message----- From: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] Sent: October-20-14 11:18 AM To: For Users of ASSP Subject: Re: [Assp-user] ASSP resendmail problem after switching to TLS only >due to OpenSSL Poodle bug I switched to TLS only on my servers this was the background - the top of your post - you've changed the configuration because of the POODLE bug now the background behind POODLE: POODLE - is a 'man in the middle' bug - where someone else spoofs the connection and is able to decode some bytes >>>>>Who should become 'man in the middle' between YOUR assp and YOUR postfix????? >....I switched to TLS only on my servers I've told you ... > There is no need to do this. POODLE is no problem for SMTPS. so, there is no need to change the config because of POODLE This is all I was trying to tell you. >error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert > certificate expired request a new cert (if you use your own) or - stop assp - remove/rename the files from the 'certs' folder - start assp assp V2 will create new certs and keys at startup or simply disable certificate validation in postfix Thomas Von: Miroslav Šebek <se...@hako.sk> An: For Users of ASSP <assp-user@lists.sourceforge.net> Datum: 20.10.2014 12:13 Betreff: Re: [Assp-user] ASSP resendmail problem after switching to TLS only Hi Thomas, all ISPconfig servers are disabling SSL on HTTP, SMTP, POP, IMAP, FTP.... so am I http://www.ispconfig.org/blog/1/entry-135-new-tutorial-how-to-secure-your-is pconfig-3-server-against-the-poodle-ssl-attack/ Who should become 'man in the middle' between YOUR assp and YOUR postfix ????? If set to "do TLS", ASSP will be the "man in the middle". ASSP will try to move both connections in to TLS. All data will be readable to ASSP - so all checks could be done. If any of the peers does not support TLS, ASSP will .... Or am I missing something here? Miro. Dňa 20.10.2014 o 9:56 Thomas Eckardt napísal(a): >> due to OpenSSL Poodle bug I switched to TLS only on my servers > There is no need to do this. POODLE is no problem for SMTPS. > >> Any ideas how to solve this? > Who should become 'man in the middle' between YOUR assp and YOUR postfix > ????? > > Thomas > > > > > > Von: Miroslav Šebek <se...@hako.sk> > An: assp-user@lists.sourceforge.net > Datum: 20.10.2014 09:39 > Betreff: [Assp-user] ASSP resendmail problem after switching to TLS > only > > > > > > Hi all, > > due to OpenSSL Poodle bug I switched to TLS only on my servers > > Config ASSP: > > doTLS = doTLS > > SSL_version = TLSv1:!SSLv2:!SSLv3 > > Config Postfix: > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_protocols = !SSLv2,!SSLv3 > smtp_tls_protocols = !SSLv2,!SSLv3 > > and from this moment the resendmail function of ASSP is no more working > > Logs ASSP: > Oct-20-14 08:58:13 [Main_Thread] Info: request to create file: > RESENDMAIL/18348--71350.EML > Oct-20-14 08:58:16 [Worker_10000] FROM: <mo...@myserver.tld> denied > Oct-20-14 08:58:16 [Worker_10000] Can't send data - Bad file descriptor > Oct-20-14 08:58:16 [Worker_10000] *** send to 127.0.0.1:225 > (smtpDestination [1]) didn't work, trying others... > > Logs Postfix: > > Oct 20 08:58:16 squeeze postfix/smtpd[2891]: connect from > localhost.localdomain[127.0.0.1] > Oct 20 08:58:16 squeeze postfix/smtpd[2891]: SSL_accept error from > localhost.localdomain[127.0.0.1]: 0 > Oct 20 08:58:16 squeeze postfix/smtpd[2891]: warning: TLS library > problem: 2891:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert > certificate expired:s3_pkt.c:1258:SSL alert number 45: > Oct 20 08:58:16 squeeze postfix/smtpd[2891]: lost connection after > STARTTLS from localhost.localdomain[127.0.0.1] > Oct 20 08:58:16 squeeze postfix/smtpd[2891]: disconnect from > localhost.localdomain[127.0.0.1] > > But other mails are comming normally, this error is for resendmail only > > Oct-20-14 09:09:09 m-88948-03402 [Worker_1] [TLS-in] [TLS-out] > [MessageOK] 81.95.XXY.YYY <info@domain1.tld1> to: i...@mydomail.tld > message ok [Some subject] > > Any ideas how to solve this? > > Thanks, Miro. > > > > > ---------------------------------------------------------------------------- -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ---------------------------------------------------------------------------- -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
