Port 25 is probably handled by postfix, exim, or sendmail, not dovecot.
In any event, you can't simply connect directly to SMTP with TLS; SMTP
requires using the STARTTLS command to upgrade a connection to TLS.
I suspect you'll find similar issues with your other ports; I don't know
the details of
OK, I hate to be so stupid, but I need some help and can't seem to
locate anyone knowledgeable so far:
In 10-ssl.conf I added: ssl_protocols = !SSLv2 !SSLv3 (to no avail so i
think I am not patched)
Would appreciate some helpful comments / guidance please...
I did a fresh install of 12.04.5 on
lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".
** Changed in: dovecot (Ubuntu Lucid)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is su
Dovecot uses Unix password authentication by default. If those
passwords leak, they can be used to ssh in and perhaps even for sudo.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dov
This bug was fixed in the package dovecot - 1:2.0.19-0ubuntu2.2
---
dovecot (1:2.0.19-0ubuntu2.2) precise; urgency=medium
* Backport support for the ssl_protocols setting to easily allow
disabling SSLv3. (LP: #1381537)
- debian/patches/backport_ssl_protocols.patch: added new
How will this be dealt with in lucid, please? I guess POODLE isn't
really that much of an issue for an IMAPS or POP3S session since there
is no Javascript involved or am I mistaken?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
** Branch linked: lp:ubuntu/precise-proposed/dovecot
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol for
"poodle" fix
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol fo
Hello Benjamin, or anyone else affected,
Accepted dovecot into precise-proposed. The package will build now and
be available at
http://launchpad.net/ubuntu/+source/dovecot/1:2.0.19-0ubuntu2.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
ht
** Description changed:
- The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is
- 2.0.19
+ SRU Request:
+
+ [Impact]
+ Dovecot in Precise does not contain the ssl_protocols configuration option
that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it
woul
Made a quick patch for this package, tested it in following way:
* Install package
* Start dovecot
* Connect with: openssl s_client -connect -ssl3 localhost:995
Getting error that I can't connect on SSLv3, assumed this resolved the
issue.
** Patch added: "dovecot12-sslv3-disable.diff"
https:
** Patch removed: "dovecot12-sslv3-disable.diff"
https://bugs.launchpad.net/ubuntu/precise/+source/dovecot/+bug/1381537/+attachment/4244579/+files/dovecot12-sslv3-disable.diff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:/
Made a quick patch for this package, tested it in following way:
* Install package
* Start dovecot
* Connect with: openssl s_client -connect -ssl3 localhost:995
Getting error that I can't connect on SSLv3.
Please review.
** Patch removed: "untested"
https://bugs.launchpad.net/ubuntu/+source
** Patch added: "untested"
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4244576/+files/dovcot12-sslv3-disable.diff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/138153
** Also affects: dovecot (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: dovecot (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: dovecot (Ubuntu Vivid)
Importance: Undecided
Assignee: Marc Deslauriers (mdeslaur)
Status: Con
** Changed in: dovecot (Ubuntu)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch
So basicaly the following commit has to be backported to the 2.0
Version. http://hg.dovecot.org/dovecot-2.1/rev/406a1d52390b
I created a patch for 2.0.19 and tried it on our staging systems. This
worked quite well for ous.
** Patch added: "Backport of 406a1d52390b"
https://bugs.launchpad.net/
** Tags added: poodle
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol for
"poodle" fix
To manage notifications about
Thanks for the clarification.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol for
"poodle" fix
To manage notification
It is not correct. Adding !SSLv3 to the cipher list removes the set of
*ciphers* specified in the SSLv3 cipher suite [1], which would also
disable ciphers listed in other suites. It has no effect on the
*protocols* used.
[1] http://www.openssl.org/docs/apps/ciphers.html
--
You received this bug
On 10/20/2014 11:18 AM, Roger Cornelius wrote:
> According to https://www.digitalocean.com/community/tutorials/how-to-
> protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
> be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list
> config option. Is that not correct
According to https://www.digitalocean.com/community/tutorials/how-to-
protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list
config option. Is that not correct?
--
You received this bug notification because you a
I had a quick discussion with mdeslaur (security team) on #ubuntu-
hardened.
He's not prepared to push changes which just turn SSLv3 off, since that
would break clients. But he is prepared to sponsor security patches that
add it as an option, so that users can opt to turn SSLv3 off after
they've g
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: dovecot (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Do
The attachment "disable SSLv3 in dovecot" seems to be a patch. If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~bri
Here is the patch from the mailing list([3] in original post)
** Patch added: "disable SSLv3 in dovecot"
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4237577/+files/dovecot-sslv3-disable.diff
** Tags added: precise
--
You received this bug notification because
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
D
27 matches
Mail list logo