[Dovecot] PKI Compliance Dovecot Server
Hello,
I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
Thank You
I *think* you can fix this in your config.
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Consider yourself lucky you're not using UW. I believe you need to recompile it.
Nessus thinks I'm good with the setting above.
John
Amit Thakkar wrote:
Hello,
I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
Thank You
-- John Gray gray@agora-net.com AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, De 19711 http://www.agora-net.com
BTW. Dovecot v1.1 has by default:
ssl_cipher_list = ALL:!LOW:!SSLv2
I'd think that's enough to fix this too.
On Tue, 2008-09-30 at 10:23 -0400, John Gray wrote:
I *think* you can fix this in your config.
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Consider yourself lucky you're not using UW. I believe you need to recompile it.
Nessus thinks I'm good with the setting above.
John
Amit Thakkar wrote:
Hello,
I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
Thank You
FYI, Nessus scans are used for PCI Compliance. So if you've got all the
plugins, you're good to go for vulnerability checks.
IIRC, !SSLv2 was my solution when the SSL thing came up last year for
PCI Compliance (previous job).
Rick
Timo Sirainen wrote:
BTW. Dovecot v1.1 has by default:
ssl_cipher_list = ALL:!LOW:!SSLv2
I'd think that's enough to fix this too.
On Tue, 2008-09-30 at 10:23 -0400, John Gray wrote:
I *think* you can fix this in your config.
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
Consider yourself lucky you're not using UW. I believe you need to recompile it.
Nessus thinks I'm good with the setting above.
John
Amit Thakkar wrote:
Hello,
I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
Thank You
participants (4)
-
Amit Thakkar
-
John Gray
-
Rick Romero
-
Timo Sirainen