Port 25 is probably handled by postfix, exim, or sendmail, not dovecot.
In any event, you can't simply connect directly to SMTP with TLS; SMTP
requires using the STARTTLS command to upgrade a connection to TLS.
I suspect you'll find similar issues with your other ports; I don't know
the details
OK, I hate to be so stupid, but I need some help and can't seem to
locate anyone knowledgeable so far:
In 10-ssl.conf I added: ssl_protocols = !SSLv2 !SSLv3 (to no avail so i
think I am not patched)
Would appreciate some helpful comments / guidance please...
I did a fresh install of 12.04.5 on
lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as Won't Fix.
** Changed in: dovecot (Ubuntu Lucid)
Status: Confirmed = Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Server Team, which
Dovecot uses Unix password authentication by default. If those
passwords leak, they can be used to ssh in and perhaps even for sudo.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
This bug was fixed in the package dovecot - 1:2.0.19-0ubuntu2.2
---
dovecot (1:2.0.19-0ubuntu2.2) precise; urgency=medium
* Backport support for the ssl_protocols setting to easily allow
disabling SSLv3. (LP: #1381537)
- debian/patches/backport_ssl_protocols.patch: added
How will this be dealt with in lucid, please? I guess POODLE isn't
really that much of an issue for an IMAPS or POP3S session since there
is no Javascript involved or am I mistaken?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to
Hello Benjamin, or anyone else affected,
Accepted dovecot into precise-proposed. The package will build now and
be available at
http://launchpad.net/ubuntu/+source/dovecot/1:2.0.19-0ubuntu2.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch
** Branch linked: lp:ubuntu/precise-proposed/dovecot
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol
** Description changed:
- The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is
- 2.0.19
+ SRU Request:
+
+ [Impact]
+ Dovecot in Precise does not contain the ssl_protocols configuration option
that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it
** Patch added: untested
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4244576/+files/dovcot12-sslv3-disable.diff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
Made a quick patch for this package, tested it in following way:
* Install package
* Start dovecot
* Connect with: openssl s_client -connect -ssl3 localhost:995
Getting error that I can't connect on SSLv3.
Please review.
** Patch removed: untested
** Patch removed: dovecot12-sslv3-disable.diff
https://bugs.launchpad.net/ubuntu/precise/+source/dovecot/+bug/1381537/+attachment/4244579/+files/dovecot12-sslv3-disable.diff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot
Made a quick patch for this package, tested it in following way:
* Install package
* Start dovecot
* Connect with: openssl s_client -connect -ssl3 localhost:995
Getting error that I can't connect on SSLv3, assumed this resolved the
issue.
** Patch added: dovecot12-sslv3-disable.diff
** Changed in: dovecot (Ubuntu)
Assignee: (unassigned) = Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise
** Also affects: dovecot (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: dovecot (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: dovecot (Ubuntu Vivid)
Importance: Undecided
Assignee: Marc Deslauriers (mdeslaur)
Status:
So basicaly the following commit has to be backported to the 2.0
Version. http://hg.dovecot.org/dovecot-2.1/rev/406a1d52390b
I created a patch for 2.0.19 and tried it on our staging systems. This
worked quite well for ous.
** Patch added: Backport of 406a1d52390b
** Tags added: poodle
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol for
poodle fix
To manage
According to https://www.digitalocean.com/community/tutorials/how-to-
protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
be switched off in 2.0.19 by adding !SSLv3 to the ssl_cipher_list
config option. Is that not correct?
--
You received this bug notification because you
It is not correct. Adding !SSLv3 to the cipher list removes the set of
*ciphers* specified in the SSLv3 cipher suite [1], which would also
disable ciphers listed in other suites. It has no effect on the
*protocols* used.
[1] http://www.openssl.org/docs/apps/ciphers.html
--
You received this bug
On 10/20/2014 11:18 AM, Roger Cornelius wrote:
According to https://www.digitalocean.com/community/tutorials/how-to-
protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
be switched off in 2.0.19 by adding !SSLv3 to the ssl_cipher_list
config option. Is that not correct?
Thanks for the clarification.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/1381537
Title:
Dovecot version in precise too old to switch off SSLv3 protocol for
poodle fix
To
I had a quick discussion with mdeslaur (security team) on #ubuntu-
hardened.
He's not prepared to push changes which just turn SSLv3 off, since that
would break clients. But he is prepared to sponsor security patches that
add it as an option, so that users can opt to turn SSLv3 off after
they've
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
Here is the patch from the mailing list([3] in original post)
** Patch added: disable SSLv3 in dovecot
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4237577/+files/dovecot-sslv3-disable.diff
** Tags added: precise
--
You received this bug notification because
The attachment disable SSLv3 in dovecot seems to be a patch. If it
isn't, please remove the patch flag from the attachment, remove the
patch tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: dovecot (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
27 matches
Mail list logo
