On 10/22/2014 12:18 AM, Quinn Comendant wrote:
On Tue, 21 Oct 2014 19:02:09 -0700, Eric Shubert wrote:
In order to disable SSL in dovecot, you could either block the SSL
ports (993, 995) in the firewall, or change /etc/dovecot/toaster.conf
file by adding :!SSLv3 to the list of ciphers:
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:DES-CBC3-SHA
Reconsider disabling SSLv3 ciphers! In OpenSSL they're used by TLSv1.0 and
TLSv1.1. The TLSv1.1 protocol didn't introduce any new ciphers, it uses SSLv3
ciphers. If you do this—as far as I've read, I didn't try—TLS for clients that
don't support at least version 1.2 will stop working.
https://security.stackexchange.com/questions/70832/why-doesnt-the-tls-protocol-work-without-the-sslv3-ciphersuites
The correct action is to disable the SSLv3 protocol itself, if possible. Limiting
connections to clients capable of => TLSv1.2 might be fine, but I do know how
many support that; maybe most?
Quinn
Good points, thanks. Given this bit, it would seem that closing the SSL
ports, either at the firewall or by restricting the ports dovecot uses
by adding a listen option to the pop3 and imap sections, would be
effective. Here's the bit from dovecot's example.conf file (which has
been somewhat negligently omitted from the QMT dovecot package - my
mistake):
# If you want to specify ports for each service, you will need to configure
# these settings inside the protocol imap/pop3 { ... } section, so you can
# specify different ports for IMAP/POP3. For example:
# protocol imap {
# listen = *:10143
# ssl_listen = *:10943
# ..
# }
# protocol pop3 {
# listen = *:10100
# ..
# }
#listen = *
I expect there will always be some confusion about SSL/TLS. The dovecot
wiki (http://wiki2.dovecot.org/SSL) explains things pretty well.
I'm still not real clear though on where the poodle vulnerability
exactly lies, so I'm a little unsure. What I do know is that Qualys
regards the risk as relatively low, so I wouldn't lose any sleep over
this one.
Thanks.
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
