subject:"Re\: \[qmailtoaster\] Drown attack"

RE: [qmailtoaster] Drown attack

2016-03-04 Thread Helmut Fritz

Emiliano,

Thx very much for this.

 

Are some of those ciphers not weak and perhaps should be removed?  anything rc2 
or rc4 based?  Maybe anything rsa?

 

Thx for any insight!

 

Helmut

 

From: Emiliano Lima [mailto:zoior...@gmail.com] 
Sent: Friday, March 04, 2016 6:52 AM
To: qmailtoaster-list@qmailtoaster.com; ebr...@whitehorsetc.com
Subject: Re: [qmailtoaster] Drown attack

 

Just add the same line is below ..


 cat  /var/qmail/control/tlsserverciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5

ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

 

2016-03-04 11:27 GMT-03:00 Eric <ebr...@whitehorsetc.com>:

Thanks Emiliano,

I have the following in tlsserverciphers, should I remove them and add your 
line our just add your line?

DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5

Eric







On 3/4/2016 5:11 AM, Emiliano Lima wrote:

HI,

The following solution.
Perform update openssl package

yum update openssl  (y)
No arquivo tlsserverciphers

/var/qmail/control/tlsserverciphers

Include the following command in 

ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

[ PicaLO_p0:root ] qmailctl cdb
Reloaded /etc/tcprules.d/tcp.smtp
Reloaded /var/qmail/control/badmimetypes.cdb
Reloaded /var/qmail/control/badloadertypes.cdb
Reloaded /var/qmail/control/simversions.cdb
Reloaded /var/qmail/control/simcontrol.cdb
[ Space_p0:root ] qmailctl restart
Restarting qmail:
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.
[ Space_p0:root ]



 

2016-03-03 20:29 GMT-03:00 Helmut Fritz <hel...@fritz.us.com>:

I too am wondering the same thing.  It is not easy to tell with the somewhat
obscure functioning of openssl and tls with smtp, imap, and pop.  At least I
am not sure I get how it all works!


-Original Message-
From: fsanti...@garbage-juice.com [mailto:fsanti...@garbage-juice.com]
Sent: Tuesday, March 01, 2016 11:34 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Drown attack

QMT stock build affected by Drown attack?

see:  https://drownattack.com/

- Fabe S.

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Drown attack

2016-03-04 Thread Emiliano Lima

Just add the same line is below ..

 cat  /var/qmail/control/tlsserverciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5

ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM


2016-03-04 11:27 GMT-03:00 Eric :

> Thanks Emiliano,
>
> I have the following in tlsserverciphers, should I remove them and add
> your line our just add your line?
>
>
> DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5
>
> Eric
>
>
>
>
>
> On 3/4/2016 5:11 AM, Emiliano Lima wrote:
>
> HI,
>
> The following solution.
> Perform update openssl package
>
> yum update openssl  (y)
> No arquivo tlsserverciphers
>
> /var/qmail/control/tlsserverciphers
> Include the following command in
>
> ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
>
> [ PicaLO_p0:root ] qmailctl cdb
> Reloaded /etc/tcprules.d/tcp.smtp
> Reloaded /var/qmail/control/badmimetypes.cdb
> Reloaded /var/qmail/control/badloadertypes.cdb
> Reloaded /var/qmail/control/simversions.cdb
> Reloaded /var/qmail/control/simcontrol.cdb
> [ Space_p0:root ] qmailctl restart
> Restarting qmail:
> * Stopping qmail-smtpd.
> * Sending qmail-send SIGTERM and restarting.
> * Restarting qmail-smtpd.
> [ Space_p0:root ]
>
>
>
> 2016-03-03 20:29 GMT-03:00 Helmut Fritz :
>
>> I too am wondering the same thing.  It is not easy to tell with the
>> somewhat
>> obscure functioning of openssl and tls with smtp, imap, and pop.  At
>> least I
>> am not sure I get how it all works!
>>
>> -Original Message-
>> From: fsanti...@garbage-juice.com [mailto:fsanti...@garbage-juice.com]
>> Sent: Tuesday, March 01, 2016 11:34 AM
>> To: qmailtoaster-list@qmailtoaster.com
>> Subject: [qmailtoaster] Drown attack
>>
>> QMT stock build affected by Drown attack?
>>
>> see:  https://drownattack.com/
>>
>> - Fabe S.
>>
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail:
>> 
>> qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail:
>> 
>> qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>
>

Re: [qmailtoaster] Drown attack

2016-03-04 Thread Eric


Thanks Emiliano,

I have the following in tlsserverciphers, should I remove them and add 
your line our just add your line?


DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5

Eric




On 3/4/2016 5:11 AM, Emiliano Lima wrote:

HI,

The following solution.
Perform update openssl package

yum update openssl  (y)
|No arquivo |||tlsserverciphers|

/var/qmail/control/tlsserverciphers
|
Include the following command in
|ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM|
|[ PicaLO_p0:root ] qmailctl cdb
Reloaded /etc/tcprules.d/tcp.smtp
Reloaded /var/qmail/control/badmimetypes.cdb
Reloaded /var/qmail/control/badloadertypes.cdb
Reloaded /var/qmail/control/simversions.cdb
Reloaded /var/qmail/control/simcontrol.cdb
[ Space_p0:root ] qmailctl restart
Restarting qmail:
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.
[ Space_p0:root ]


|

2016-03-03 20:29 GMT-03:00 Helmut Fritz >:


I too am wondering the same thing.  It is not easy to tell with
the somewhat
obscure functioning of openssl and tls with smtp, imap, and pop. 
At least I

am not sure I get how it all works!

-Original Message-
From: fsanti...@garbage-juice.com

[mailto:fsanti...@garbage-juice.com
]
Sent: Tuesday, March 01, 2016 11:34 AM
To: qmailtoaster-list@qmailtoaster.com

Subject: [qmailtoaster] Drown attack

QMT stock build affected by Drown attack?

see: https://drownattack.com/

- Fabe S.

-
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com



-
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Drown attack

2016-03-04 Thread Sebastian Grewe

Thanks Emiliano, that indeed fixes the DROWN attack vector. Confirmed by using 
the Drownattack test on their website which showed my server as fixed :-)

Don’t forget that the same key may be used on your Webserver (sampled Apache 
here) so also disable weak ciphers there!

https://drownattack.com/apache.html

Cheers,
Sebastian

> On 04 Mar 2016, at 13:11, Emiliano Lima  wrote:
> 
> HI,
> 
> The following solution.
> Perform update openssl package
> 
> yum update openssl  (y)
> No arquivo tlsserverciphers
> 
> /var/qmail/control/tlsserverciphers
> Include the following command in
> ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
> [ PicaLO_p0:root ] qmailctl cdb
> Reloaded /etc/tcprules.d/tcp.smtp
> Reloaded /var/qmail/control/badmimetypes.cdb
> Reloaded /var/qmail/control/badloadertypes.cdb
> Reloaded /var/qmail/control/simversions.cdb
> Reloaded /var/qmail/control/simcontrol.cdb
> [ Space_p0:root ] qmailctl restart
> Restarting qmail:
> * Stopping qmail-smtpd.
> * Sending qmail-send SIGTERM and restarting.
> * Restarting qmail-smtpd.
> [ Space_p0:root ]
> 
> 
> 
> 2016-03-03 20:29 GMT-03:00 Helmut Fritz  >:
> I too am wondering the same thing.  It is not easy to tell with the somewhat
> obscure functioning of openssl and tls with smtp, imap, and pop.  At least I
> am not sure I get how it all works!
> 
> -Original Message-
> From: fsanti...@garbage-juice.com  
> [mailto:fsanti...@garbage-juice.com ]
> Sent: Tuesday, March 01, 2016 11:34 AM
> To: qmailtoaster-list@qmailtoaster.com 
> 
> Subject: [qmailtoaster] Drown attack
> 
> QMT stock build affected by Drown attack?
> 
> see:  https://drownattack.com/ 
> 
> - Fabe S.
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
> 
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
> 
> 
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
> 
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
> 
> 
>

Re: [qmailtoaster] Drown attack

2016-03-04 Thread Emiliano Lima

HI,

The following solution.
Perform update openssl package

yum update openssl  (y)
No arquivo tlsserverciphers

/var/qmail/control/tlsserverciphers
Include the following command in

ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

[ PicaLO_p0:root ] qmailctl cdb
Reloaded /etc/tcprules.d/tcp.smtp
Reloaded /var/qmail/control/badmimetypes.cdb
Reloaded /var/qmail/control/badloadertypes.cdb
Reloaded /var/qmail/control/simversions.cdb
Reloaded /var/qmail/control/simcontrol.cdb
[ Space_p0:root ] qmailctl restart
Restarting qmail:
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.
[ Space_p0:root ]



2016-03-03 20:29 GMT-03:00 Helmut Fritz :

> I too am wondering the same thing.  It is not easy to tell with the
> somewhat
> obscure functioning of openssl and tls with smtp, imap, and pop.  At least
> I
> am not sure I get how it all works!
>
> -Original Message-
> From: fsanti...@garbage-juice.com [mailto:fsanti...@garbage-juice.com]
> Sent: Tuesday, March 01, 2016 11:34 AM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: [qmailtoaster] Drown attack
>
> QMT stock build affected by Drown attack?
>
> see:  https://drownattack.com/
>
> - Fabe S.
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>

RE: [qmailtoaster] Drown attack

2016-03-03 Thread Helmut Fritz

I too am wondering the same thing.  It is not easy to tell with the somewhat
obscure functioning of openssl and tls with smtp, imap, and pop.  At least I
am not sure I get how it all works!

-Original Message-
From: fsanti...@garbage-juice.com [mailto:fsanti...@garbage-juice.com] 
Sent: Tuesday, March 01, 2016 11:34 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Drown attack

QMT stock build affected by Drown attack?

see:  https://drownattack.com/

- Fabe S.

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Drown attack

Re: [qmailtoaster] Drown attack

Re: [qmailtoaster] Drown attack

Re: [qmailtoaster] Drown attack

Re: [qmailtoaster] Drown attack

RE: [qmailtoaster] Drown attack

6 matches

Site Navigation

Mail list logo

Footer information