SSLv3 attack on pop3?

Hans Morten Kind Kind at adm.uib.no
Fri Oct 31 19:02:16 UTC 2014


We turned off SSLv3 support on our pop/imap running dovecot on Oct 16th,
we did check that all users where using TLSv1 and there have been no
complaints (except one old windows-phone).

But at 13:00 UTC today, suddenly strange entries is seen in the logfile:
 Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3
    alert unexpected message: SSL alert number 10 

Followed by:
 pop3-login: Disconnected (no auth attempts in 2 secs) user=<>, rip=

Some 20 ips have been seen so far, all ips are uniq and none have used our
server lately. Just one resoved and it's name ends .cn, some lookups with whois
leads to the same origin for all.

This makes me anxious that some have made some poodle-like thing for pop3?

hmk



More information about the dovecot mailing list