Hello,
I am running SLES 11 SP1 (SuSE Linux Enterprise Server). After all
patches are applied from standard update Novell sources it seems to me
that STARTTLS bug is still unfixed.
postconf | grep mail_version
mail_version = 2.5.6
rpm -qa | grep postfix
postfix-devel-2.5.6-5.4.21
postfix-doc-2.5.6-5.4.21
postfix-2.5.6-5.4.21
more /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1
zypper lu
Loading repository data...
Reading installed packages...
No updates found.
A security scan with Nessus said:
Synopsis:
The remote mail service allows plaintext command injection while
negotiating an encrypted communications channel....
...
Plugin output:
Nessus sent the following two commands in a single packet :
STARTTLS\r\nRSET\r\n
And the server sent the following two responses :
220 2.0.0 Ready to start TLS
250 2.0.0 Ok
Am I doing somthing wrong in general or with my updates (it seems to
work as far as I know) ? Should I take antoher version like this one:
http://download.opensuse.org/repositories/server:/mail/SLE_11/x86_64/ ?
I verified this issue on another of my servers with same rseults...
Thank you for an answer in advance and best regards,
Alexander
