Hi there! How severe this bug is? I'm running few Zimbra servers and seems like it's there: % telnet 0 25 220 myzimbra ESMTP Postfix starttls 220 2.0.0 Ready to start TLS % telnet 0 587 220 myzimbra ESMTP Postfix starttls 220 2.0.0 Ready to start TLS Should I disable it for now - is there particular parameter(s) within Postfix - seems to me it's kind of blended with regular TSL settings... Thanks, W.S.
--- On Tue, 3/8/11, Wietse Venema <wie...@porcupine.org> wrote: From: Wietse Venema <wie...@porcupine.org> Subject: Re: STARTTLS bug - background story To: postfix-users@postfix.org Date: Tuesday, March 8, 2011, 6:45 AM Victor Duchovni: > On Tue, Mar 08, 2011 at 12:59:15PM +1100, Brad Hards wrote: > > > On Tue, 8 Mar 2011 07:08:09 am Wietse Venema wrote: > > > This is a writeup about a flaw that I found recently, and that > > > existed in multiple implementations of SMTP (Simple Mail Transfer > > > Protocol) over TLS (Transport Layer Security) including my Postfix > > > open source mailserver. I give an overview of the problem and its > > > impact, technical background, how to find out if a server is affected, > > > fixes, and draw lessons about where we can expect similar problems > > > now or in the future. A time line is at the end. > > > > Thanks for the write-up. > > It is a bit disappointing that very few of the potentially impacted > vendors, and some definitely impacted vendors are yet to respond to > the vulnerability: > > http://www.kb.cert.org/vuls/id/555316 > > Some email appliance vendors are not on the list. Apart from Postfix, > Qmail, and some large mailbox hosting providers, which are already > fixed, the issue will likely linger in less visible products for > some time... It's easy enough to make the one-line change to openssl source, so that people can check for this now if they are concerned. I would expect that penetration test toolkits will eventually look for starttls plaintext injection vulnerabilities. But that may take a while. Publishing "shame" lists on the web is better done by people who work for organizations with no commercial interest in the issue. Wietse
