On Mon, May 13, 2013 at 05:53:09PM +0200, Andreas Schiermeier wrote: > our latest external PCI scan found SSL-enabled Postfix SMTP servers > (2.7.0 running on Ubuntu 10.04 LTS) vulnerable to SSL CRIME attacks > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929>.
Don't listen to brainless auditors wielding checklists. The CRIME attack does not apply to SMTP, because unlike SMTP, there is no javascript in SMTP clients that makes them send thousands of email messages with chosen plaintext compressed together in the same packet with SASL credentials or other sensitive data. The auditor completely failed to take the context into account. > I've ported Apache httpd patch > <https://issues.apache.org/bugzilla/show_bug.cgi?id=53219> to Postfix > 2.10. Please can you have a look at it? Postfix 2.11 will include the ability to disable compression and session tickets if enabled by default in the OpenSSL library. You should disable compression if it uses too much CPU, and laugh at any claims that SMTP needs "CRIME-prevention". You may disable session tickets if they cause breakage with your favourite NetBSD 5.1 MTA. The patch is unlikely to get adopted as a non-configurable work-around for a non-problem. -- Viktor.
