Hi List,
Hi dovecot-list,
just a easy question today ;)
Customer did on Server a PCI-Test to test security to fit worldpay
requirements.
They found a critical risk at pop3s. (and some other things)
This is the Textmesage:
############
Family: Remote Shell Access Critical 993/tcp 11875
Description:
The remote host responded to an unrequested SSL Certificate. The remote
SSL server should have
sent back an Error message. This may indicate that the server is
vulnerable to a remote
flaw in the way that it handles unrequested certificates. You should
manually inspect the
SSL Server's configuration
############
Background is that we use a wildcard-cert which is installed on ervery
machine and fits to servername. So you have to use the accredited
Hostname/Servername to make clean ssl connection pop3s/imaps without
warnings etc.
Problem should be that server sends no error when requested with other
hostname. This is significant part from dovecot.conf
protocols = imap imaps pop3 pop3s
ssl_disable = no
ssl_cert_file = "/path/to/*.myhost.com.crt"
ssl_key_file = "/path/to/*.myhost.com.key"
ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"
Is there a Config-Option to send error when ssl-connect ist not
established to in cert accredited Hostname/Servername ? Did not found
something like this or did not really understand function of the options.
I do not know backgrounds to this issue. Cant decide if it would be a
security risk or disproportionated wishes of securityexperts but i want to
satisfy this costumer.
How to handle thos?
Thank you
Andre
could be the solution to set ssl_listen to hostname where dovecot is
running? pretty easy... O.o
my tests were successful but would like to obtain other opinions..
Thanks
Andre