Marc Rantanen:

Hi, how do I protect dovecot 1.2.17 against poodle?

I just looked into the sourcecode. looks like there was an option "ssl_protocols" in dovecot.conf. ( check: dovecot -a | grep ssl_protocols ) then you should be able to set "ssl_protocols = !SSLv2 !SSLv3" restart and check: openssl s_client -connect $dovecot_host:imaps -tls1 should work while openssl s_client -connect $dovecot_host:imaps -ssl3 should not (or use pop3s) Also if you could recompile from source then you may test the following patch. At a first glance it should only avoid dovecot connect to a next dovecot via SSLv3 Index: src/lib-ssl-iostream/iostream-openssl-context.c =================================================================== --- src.orig/lib-ssl-iostream/iostream-openssl-context.c 2014-10-25 22:59:28.000000000 +0200 +++ src/lib-ssl-iostream/iostream-openssl-context.c 2014-10-25 23:00:12.000000000 +0200 @@ -358,7 +358,7 @@ /* enable all SSL workarounds, except empty fragments as it makes SSL more vulnerable against attacks */ - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 | + SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) | (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); if (SSL_CTX_need_tmp_RSA(ctx->ssl_ctx)) SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, ssl_gen_rsa_key); Index: src/login-common/ssl-proxy-openssl.c =================================================================== --- src.orig/login-common/ssl-proxy-openssl.c 2014-10-25 23:00:36.000000000 +0200 +++ src/login-common/ssl-proxy-openssl.c 2014-10-25 23:02:19.000000000 +0200 @@ -973,8 +973,8 @@ /* enable all SSL workarounds, except empty fragments as it makes SSL more vulnerable against attacks */ - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & - ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) | + (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);