[Dovecot] disbale to responded to an unrequested SSL Certificate

[Andre Hübner]

Hi List,


> Hi dovecot-list,
>
> just a easy question today ;)
>
> Customer did on Server a PCI-Test to test security to fit worldpay 
> requirements.
>
> They found a critical risk at pop3s. (and some other things)
>
> This is the Textmesage:
> ############
> Family: Remote Shell Access Critical 993/tcp 11875
> Description:
> The remote host responded to an unrequested SSL Certificate. The remote 
> SSL server should have
> sent back an Error message. This may indicate that the server is 
> vulnerable to a remote
> flaw in the way that it handles unrequested certificates. You should 
> manually inspect the
> SSL Server's configuration
> ############
>
> Background is that we use a wildcard-cert which is installed on ervery 
> machine and fits to servername. So you have to use the accredited 
> Hostname/Servername to make clean ssl connection pop3s/imaps without 
> warnings etc.
> Problem should be that server sends no error when requested with other 
> hostname. This is significant part from dovecot.conf
>
> protocols = imap imaps pop3 pop3s
> ssl_disable = no
> ssl_cert_file = "/path/to/*.myhost.com.crt"
> ssl_key_file = "/path/to/*.myhost.com.key"
> ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"
>
> Is there a Config-Option to send error when ssl-connect ist not 
> established to in cert accredited Hostname/Servername ? Did not found 
> something like this or did not really understand  function of the options.
>
> I do not know backgrounds to this issue. Cant decide if it would be a 
> security risk or disproportionated wishes of securityexperts but i want to 
> satisfy this costumer.
> How to handle thos?
>
> Thank you
> Andre


could be the solution to set ssl_listen to hostname where dovecot is 
running? pretty easy... O.o
my tests were successful but would like to obtain other opinions..

Thanks
Andre