On Wed, 15 Oct 2014, Eric Shubert wrote:

Date: Wed, 15 Oct 2014 15:51:05 -0700
From: Eric Shubert <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: [qmailtoaster] Re: Disable SSLv3, POODLE: SSLv3 vulnerability

On 10/15/2014 02:36 PM, Nikolay Mitev wrote:
Hi Team,

How can you exclude SSLv3 for the case POODLE: SSLv3 vulnerability
(CVE-2014-3566) for /SMTPs,POP3s and IMAPs/.

Best regards,
Nikolay

My first overall impression is, no more encrypted email, until this is fixed. Or you can use encrypted email, and be vulnerable. How bad the vulnerability is I'm not sure.

This was just announced, so we'll see how fast a patch comes out.

In order to disable SSLv3, you need to change your cyphers list in /etc/dovecot/toaster.conf file for dovecot, and /var/qmail/control/tlsserverciphers for qmail-smtpd.

If you turn off SSLv3, that includes TLS, so you'd better turn off plain and login authentication methods as well. Looks like digest-md5 or cram-md5 would be the only non-plain-text authentication methods available. I imagine Dan's loving that. ;)



Hello Eric,

Could be possible to define one control file to populate with the domains against i donŽt want to do TLS/SSL?

Honestly i have not yet look deeply into qmail-smtpd code to conclude that if
you turn on TLS, it will be active for all smtp transactions and you could avoid this for some specific domains.


best regards,



--

Abel Lucano ____________________________________________________

GlobalGate Ingeniería


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to