Re: POODLE: smtpd_tls_mandatory_protocols question

Wed, 15 Oct 2014 15:27:35 -0700 


Am 15.10.2014 um 23:06 schrieb Robert Schetterer:

Am 15.10.2014 um 22:44 schrieb A. Schulze:


Viktor Dukhovni:


POODLE is not an SMTP attack.  No need to panic.  Disabling SSL
3.0 may feel good, but the net effect is slightly negative, since
you'll now use cleartext with SSLv3-only SMTP peers.


to calculate the damage, count:

< inbound >
# grep 'TLS connection established from' /var/log/mail | sed -e
's/^.*\]\: //' -e 's/ with cipher.*//' | sort | uniq -c




< outbound >
# grep 'TLS connection established to' /var/log/mail | sed -e
's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c

Andreas



doesnt look loosing much here

4 SSLv3
   22353 TLSv1

2 SSLv3
   17664 TLSv1


________________________________________

inbound MX

    101 SSLv3
  14550 TLSv1
    616 TLSv1.1
   7306 TLSv1.2
________________________________________

submission server

      1 SSLv3
  10828 TLSv1
      2 TLSv1.1
  29928 TLSv1.2

while i doubt SSLv3 + ECDHE


Oct  3 23:43:21 mail postfix/smtps/smtpd[30237]: Anonymous TLS 
connection established from unknown[93.120.27.62]: SSLv3 with cipher 
ECDHE-RSA-AES256-SHA (256/256 bits)

________________________________________

only incoming connections (logwatch don't like 2.11 outgoing logging)

that is the user where i know Outlook 2003 on Windows 7

Anonymous TLS connection established from ****: TLSv1 with cipher 
ECDHE-RSA-AES256-SHA (256/256 bits)


on the other hand *that* is Outlook 2003 on Windows XP

Anonymous TLS connection established from ****: TLSv1 with cipher 
DES-CBC3-SHA (168/168 bits)



but when i change the dovecot config below and add :!SSLv3 it no longer 
connects to POP3S/IMAPS and the main difference here is that it don't 
support STARTLS but 993/995 which could point out some bug in Outlook



ssl_cipher_list = 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2

ssl_prefer_server_ciphers = yes






















					Reply via email to