[Dovecot] PKI Compliance Dovecot Server
Amit Thakkar
athakkarjr at yahoo.com
Tue Sep 30 17:06:20 EEST 2008
Hello,
I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
Synopsis : The remote service encrypts traffic using a protocol with known
weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers fromseveral cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications
between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium
/ CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
Thank You
More information about the dovecot
mailing list