>Anyone else care to share their cipher lists and a quick explanation of why they picked it?
I use: RC4-SHA:HIGH:!ADH for both - SMTPS and HTTPS. For HTTPS , I think this "NOT WEAK" enough. An attack against RC4 seems not to be practital at this time. Because my ASSP-GUI is only accessable from my local LAN, I don't care about it. For SMTPS you can use what ever you want. If you accept only TLS1.1 and TLS 1.2 ciphers , 5% of the SSL connections will work, the rest will fall back to plain text. IMHO it is better to accept a weak cipher that to use plain text for SMTP. If your ASSP-GUI is accessable from the internet (even if only via SSL) - create an admin user and grant him all permission, except for all encrypted config parameters - AND NEVER use 'root' to login from the internet. Use 'SSLWEBCertVerifyCB' for higher security. If you really need to kick out US and European secret agencies from reading you mails: 1. don't use SSL-certificates from CA's located in the US or Europe - (I use certs from Israel - the Mossad, Shin Bet and Aman are the lesser evil :):):) ) 2. don't use the certificate/key, you use in ASSP, for any other purpose 3. don't use an ISP for mail transmission , if you don't encrypt your mails 4. don't trust any "secured" transmission - use SMIME or PGP or your own algorithm with symetric encryption (preshared keys) to encrypt your mails Thomas Von: Colin <[email protected]> An: [email protected] Datum: 21.07.2014 10:48 Betreff: Re: [Assp-test] Trying to upgrade ASSPv2 Hi Doug, I did a quick Google and it looks like you posted the same issue about a year ago: http://www.zimbra.com/forums/administrators/63140-sslv3-alert-bad-record-mac.html Do you recall what you did to resolve it then? From the other hits out there is seems that postfix can be particuraly unforgiving to AES connections (there are other people talking about having problems receiving email from Google via AES with Postfix). I had RC4-SHA:HIGH as my preferred cipher after the beast SSL attacks, however with some of the latest revelations I should probably look at bringing AES back in. Anyone else care to share their cipher lists and a quick explanation of why they picked it? Mine is currently the following and this way because it was the only way to gain PCI compliance after the beast SSL attack. RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM All the best, Colin Waring. On 20/07/2014 14:09, Doug Lytle wrote: > I have a very old install of ASSPv2 "2.3.4(13136)" running on Debian > GNU/Linux 6.0.3 (squeeze). > > This is for our Zimbra mail server that is also outdated, running on > Ubuntu 10.04 64bit. I'd like to update the mail server, but won't > attempt it until I get the ASSP2 issues resolved. > > When building another VM to house the upgraded ASSP and putting it into > place, I get attachment corruption. Following the logs on the Zimbra > side, I see a change in what is being used for the SSL cipher. It goes > from the normal: > > postfix/smtpd[12152]: Anonymous TLS connection established from > assp.inet[10.0.0.10]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) > > To: > > postfix/smtpd[11502]: Anonymous TLS connection established from > assp.inet[10.0.0.10]: TLSv1 with cipher AES128-SHA (128/128 bits) > > So, > > Reviewing a previous post from Thomas > > http://sourceforge.net/p/assp/mailman/message/31259064/ > > I started playing around with the cipher options on ASSP. I forced: > > AES256:SHA256:RC4-SHA:HIGH:!ADH > > Now my logs on the Zimbra server so AES256 and I no longer have > attachment corruption, but I now am experiencing two different issues. > > 1.) Sending test email from Seamonkey, I may have to hit send a couple > times before it goes. > 2.) I'm seeing the below logs in my Zimbra server: > > postfix/smtpd[22112]: warning: TLS library problem: > 22112:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record > mac:s3_pkt.c:1199:SSL alert number 20 > > Would this be because I'm missing a required cipher? > > Any suggestions would be appreciated. > > Doug > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
