On Wed, 15 Oct 2014, Eric Shubert wrote:
Date: Wed, 15 Oct 2014 15:51:05 -0700
From: Eric Shubert <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: [qmailtoaster] Re: Disable SSLv3, POODLE: SSLv3 vulnerability
On 10/15/2014 02:36 PM, Nikolay Mitev wrote:
Hi Team,
How can you exclude SSLv3 for the case POODLE: SSLv3 vulnerability
(CVE-2014-3566) for /SMTPs,POP3s and IMAPs/.
Best regards,
Nikolay
My first overall impression is, no more encrypted email, until this is fixed.
Or you can use encrypted email, and be vulnerable. How bad the vulnerability
is I'm not sure.
This was just announced, so we'll see how fast a patch comes out.
In order to disable SSLv3, you need to change your cyphers list in
/etc/dovecot/toaster.conf file for dovecot, and
/var/qmail/control/tlsserverciphers for qmail-smtpd.
If you turn off SSLv3, that includes TLS, so you'd better turn off plain and
login authentication methods as well. Looks like digest-md5 or cram-md5 would
be the only non-plain-text authentication methods available. I imagine Dan's
loving that. ;)
Hello Eric,
Could be possible to define one control file to populate with the domains
against i donŽt want to do TLS/SSL?
Honestly i have not yet look deeply into qmail-smtpd code to conclude that if
you turn on TLS, it will be active for all smtp transactions and you could avoid
this for some specific domains.
best regards,
--
Abel Lucano ____________________________________________________
GlobalGate Ingeniería
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]