Hi List,

Hi dovecot-list,

just a easy question today ;)

Customer did on Server a PCI-Test to test security to fit worldpay requirements.

They found a critical risk at pop3s. (and some other things)

This is the Textmesage:
Family: Remote Shell Access Critical 993/tcp 11875
The remote host responded to an unrequested SSL Certificate. The remote SSL server should have sent back an Error message. This may indicate that the server is vulnerable to a remote flaw in the way that it handles unrequested certificates. You should manually inspect the
SSL Server's configuration

Background is that we use a wildcard-cert which is installed on ervery machine and fits to servername. So you have to use the accredited Hostname/Servername to make clean ssl connection pop3s/imaps without warnings etc. Problem should be that server sends no error when requested with other hostname. This is significant part from dovecot.conf

protocols = imap imaps pop3 pop3s
ssl_disable = no
ssl_cert_file = "/path/to/*.myhost.com.crt"
ssl_key_file = "/path/to/*.myhost.com.key"
ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"

Is there a Config-Option to send error when ssl-connect ist not established to in cert accredited Hostname/Servername ? Did not found something like this or did not really understand function of the options.

I do not know backgrounds to this issue. Cant decide if it would be a security risk or disproportionated wishes of securityexperts but i want to satisfy this costumer.
How to handle thos?

Thank you

could be the solution to set ssl_listen to hostname where dovecot is running? pretty easy... O.o
my tests were successful but would like to obtain other opinions..


Reply via email to