Hi List,
Hi dovecot-list,
just a easy question today ;)
Customer did on Server a PCI-Test to test security to fit worldpay requirements.
They found a critical risk at pop3s. (and some other things)
This is the Textmesage: ############ Family: Remote Shell Access Critical 993/tcp 11875 Description: The remote host responded to an unrequested SSL Certificate. The remote SSL server should have sent back an Error message. This may indicate that the server is vulnerable to a remote flaw in the way that it handles unrequested certificates. You should manually inspect the SSL Server's configuration ############
Background is that we use a wildcard-cert which is installed on ervery machine and fits to servername. So you have to use the accredited Hostname/Servername to make clean ssl connection pop3s/imaps without warnings etc. Problem should be that server sends no error when requested with other hostname. This is significant part from dovecot.conf
protocols = imap imaps pop3 pop3s ssl_disable = no ssl_cert_file = "/path/to/*.myhost.com.crt" ssl_key_file = "/path/to/*.myhost.com.key" ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"
Is there a Config-Option to send error when ssl-connect ist not established to in cert accredited Hostname/Servername ? Did not found something like this or did not really understand function of the options.
I do not know backgrounds to this issue. Cant decide if it would be a security risk or disproportionated wishes of securityexperts but i want to satisfy this costumer. How to handle thos?
Thank you Andre
could be the solution to set ssl_listen to hostname where dovecot is running? pretty easy... O.o my tests were successful but would like to obtain other opinions..
Thanks Andre