[Dovecot] PKI Compliance Dovecot Server

[John Gray]

I *think* you can fix this in your config.

ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

Consider yourself lucky you're not using UW.  I believe you need to
recompile it.

Nessus thinks I'm good with the setting above.

John

Amit Thakkar wrote:
> Hello,
> 
> I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards).  However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
> 
> Synopsis : The remote service encrypts traffic using a protocol with known
> weaknesses.  Description : The remote service accepts connections encrypted using SSL 2.0, which
> reportedly suffers fromseveral cryptographic flaws and has been
> deprecated for several years.  An attacker may be able to exploit these
> issues to conduct man-in-the-middle attacks or decrypt communications
> between the affected service and clients.  See also : http://www.schneier.com/paper-ssl.pdf Solution:  Consult the application's documentation to disable SSL 2.0 and use SSL
> 3.0 or TLS 1.0 instead.  See http://support.microsoft.com/kb/216482 for instructions on IIS.  See http://httpd.apache.org/docs/2.0/mod/mod	_ssl.html for Apache. Risk Factor:  Medium
>  / CVSS Base Score : 2 
> (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] 
> 
> Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
> 
> Thank You
> 
> 
>       


-- 
John Gray                           gray at agora-net.com
AgoraNet, Inc.                      (302) 224-2475
314 E. Main Street, Suite 1         (302) 224-2552 (fax)
Newark, De 19711                    http://www.agora-net.com