Solved Poodle SSLv3 vulnerability with Dovecot

D

deadeyes

Hi all,

Wondering how I need to disable SSLv3 on Dovecot. This is to mitigate the POODLE vulnerability. I tried to search for it but don't get anything freebsd FreeBSD-specific. I tried to apply the RedHat instructions but that failed (https://access.redhat.com/solutions/120383).

Seems like
Code: 
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
is the way to go. With !SSLv3 I get a configuration error. Do I need to explicitly enable TLS for that to work?

I used something like this
Code: 
ssl_cipher_list = ALL:+TLSv1:!LOW:!SSLv2:!SSLv3
I don't get an error now. However when I try with openssl s_client -connect host:port I don't get an SSL session anymore (while I do get a TCP connection). I did got a session when this line wasn't in the configuration.

Note that I'm using Dovecot 1.x. Should I migrate to Dovecot 2?

Thanks in advance!
 
I know you said you are using 1.x, and I use 2.x so this might not work for you. But on 2.x this works.

Code: 
ssl_protocols = !SSLv2 !SSLv3
 
Yeah, in the meantime I upgraded and migrated my configuration to version 2 format. Had to fiddle a bit to get the password and user database going again but it wasn't that hard.

I used
Code: 
ssl_protocols = !SSLv2 !SSLv3
and that did the trick :) thanks!

Weird, I couldn't find this on Google (might be my bad searching skills though).

Weird how I got totally sidetracked to go fiddle with ssl_cipher settings :p
 
Remember to also update sendmail if you're using encryption there. This in the .mc, rebuild, install the .cf, restart.

Code: 
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
 
abishai said:
Any caveats during upgrade? Have you used http://wiki2.dovecot.org/Upgrading/2.0 to convert the old configuration or have you created a new one from scratch?
Click to expand...

Sorry I get back to you this late.

I converted my configuration actually (not using the wiki above). There are some differences: /usr/local/etc/dovecot is now the main configuration directory and /usr/local/etc/dovecot/dovecot.conf the main configuration. Apart from that a load of files are loaded from conf.d. I used this to get the meaningful configuration lines: grep -v "^\ *#" /usr/local/etc/dovecot.conf | grep -ve '^$'

Then I search for all those configuration items in the new configuration directory. Where they matched I changed them. (note that you need to copy over example config files from /usr/share ... (I thought the installation or rc.d script told the location)). When you are done do /usr/local/etc/rc.d/dovecot status. It will show you what configuration directives are invalid.

At one point in the configuration one of these is loaded for authentication (others are commented out):
Code: 
auth-checkpassword.conf.ext
auth-custom.conf.ext
auth-deny.conf.ext
auth-dict.conf.ext
auth-ldap.conf.ext
auth-master.conf.ext
auth-passwdfile.conf.ext
auth-sql.conf.ext
auth-static.conf.ext
auth-system.conf.ext
auth-vpopmail.conf.ext

I created auth-custom.conf.ext and put the old directives for password database and user database in there. Using the rc.d script with the status parameter showed me I needed a driver set. After adding that driver I was able to start my server. Note that I had authentication on debug. I noticed I had a permissions error (due to how the previous setup was done). I changed the ownership and it worked:)
 
aupanner said:
Remember to also update sendmail if you're using encryption there. This in the .mc, rebuild, install the .cf, restart.

Code: 
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
Click to expand...

Although this is a thread about Dovecot I really appreciate you putting this here. A lot of installs will have sendmail (even mine). And didn't got to patching this yet. Thanks!
 
You must log in or register to reply here.
Back
Top