On 10/15/2014 02:36 PM, Nikolay Mitev wrote:
Hi Team,

How can you exclude SSLv3 for the case POODLE: SSLv3 vulnerability
(CVE-2014-3566) for /SMTPs,POP3s and IMAPs/.

Best regards,
Nikolay

My first overall impression is, no more encrypted email, until this is fixed. Or you can use encrypted email, and be vulnerable. How bad the vulnerability is I'm not sure.

This was just announced, so we'll see how fast a patch comes out.

In order to disable SSLv3, you need to change your cyphers list in /etc/dovecot/toaster.conf file for dovecot, and /var/qmail/control/tlsserverciphers for qmail-smtpd.

If you turn off SSLv3, that includes TLS, so you'd better turn off plain and login authentication methods as well. Looks like digest-md5 or cram-md5 would be the only non-plain-text authentication methods available. I imagine Dan's loving that. ;)

Hopefully there will be patches forthcoming soon.

Any insights you folks have are welcome. I haven't had time to look into this much yet.

--
-Eric 'shubes'


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to