On Fri, Apr 15, 2011 at 08:57:19AM +0200, Alexander Gr?ner wrote: > I am running SLES 11 SP1 (SuSE Linux Enterprise Server). After all patches > are applied from standard update Novell sources it seems to me that > STARTTLS bug is still unfixed. > > mail_version = 2.5.6
Unless they (SuSE) backported the fix, 2.5.6 was vulnerable. > Nessus sent the following two commands in a single packet : > > STARTTLS\r\nRSET\r\n > And the server sent the following two responses : > 220 2.0.0 Ready to start TLS > 250 2.0.0 Ok This confirms the issue. > Am I doing somthing wrong in general or with my updates (it seems to work > as far as I know) ? Should I take antoher version like this one: > http://download.opensuse.org/repositories/server:/mail/SLE_11/x86_64/ ? > > I verified this issue on another of my servers with same rseults... > > Thank you for an answer in advance and best regards, The right forum is a SuSE support forum. The postfix-users list is for Postfix issues, this is a fixed issue in Postfix, so getting your OS distribution to adopt the fix is a non-Postfix issue. This said, very few sites are vulnerable to this. Your server needs to be patched if either: - remote sites verify your certificate when sending email over TLS. - roaming users submit mail via TLS (typically on port 587) and their MUA verifies your certificate, and don't ignore certificate verification failures. If neither is the case, the fix does not resolve any security issues, since unauthenticated TLS is still subject (more substantive) MITM attacks. -- Viktor.
