On 10/15/2014 02:36 PM, Nikolay Mitev wrote:
Hi Team,
How can you exclude SSLv3 for the case POODLE: SSLv3 vulnerability
(CVE-2014-3566) for /SMTPs,POP3s and IMAPs/.
Best regards,
Nikolay
My first overall impression is, no more encrypted email, until this is
fixed. Or you can use encrypted email, and be vulnerable. How bad the
vulnerability is I'm not sure.
This was just announced, so we'll see how fast a patch comes out.
In order to disable SSLv3, you need to change your cyphers list in
/etc/dovecot/toaster.conf file for dovecot, and
/var/qmail/control/tlsserverciphers for qmail-smtpd.
If you turn off SSLv3, that includes TLS, so you'd better turn off plain
and login authentication methods as well. Looks like digest-md5 or
cram-md5 would be the only non-plain-text authentication methods
available. I imagine Dan's loving that. ;)
Hopefully there will be patches forthcoming soon.
Any insights you folks have are welcome. I haven't had time to look into
this much yet.
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]