Zitat von Victor Duchovni <victor.ducho...@morganstanley.com>:
On Fri, Apr 15, 2011 at 08:57:19AM +0200, Alexander Gr?ner wrote:I am running SLES 11 SP1 (SuSE Linux Enterprise Server). After all patches are applied from standard update Novell sources it seems to me that STARTTLS bug is still unfixed. mail_version = 2.5.6Unless they (SuSE) backported the fix, 2.5.6 was vulnerable.Nessus sent the following two commands in a single packet : STARTTLS\r\nRSET\r\n And the server sent the following two responses : 220 2.0.0 Ready to start TLS 250 2.0.0 OkThis confirms the issue.Am I doing somthing wrong in general or with my updates (it seems to work as far as I know) ? Should I take antoher version like this one: http://download.opensuse.org/repositories/server:/mail/SLE_11/x86_64/ ? I verified this issue on another of my servers with same rseults... Thank you for an answer in advance and best regards,The right forum is a SuSE support forum. The postfix-users list is for Postfix issues, this is a fixed issue in Postfix, so getting your OS distribution to adopt the fix is a non-Postfix issue. This said, very few sites are vulnerable to this. Your server needs to be patched if either: - remote sites verify your certificate when sending email over TLS. - roaming users submit mail via TLS (typically on port 587) and theirMUA verifies your certificate, and don't ignore certificate verificationfailures.
This is the recommended submission setup and the most common MUAs (Thunderbird, Outlook, Evolution etc.) will not ignore certificate verification failures, no?
So every public submission service correctly setup is affected... Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
