1

Topic: The Poodlebleed Bug (SSLv3 vulnerability)

==== Required information ====
- iRedMail version: iRedAdmin-Pro    v1.8.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): (MySQL)
- Linux/BSD distribution name and version: 12.04.1 LTS, Precise Pangolin
- Related log if you're reporting an issue: N/A
====

Hi All,
Just wanted everyone to be aware of The Poodlebleed Bug.
"Poodlebleed is a vulnerability in the design of SSL version 3.0. Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows the decryption to plaintext of secure connections."

Watch for compromised accounts!

Here is some information:
http://poodlebleed.com/
https://community.centminmod.com/thread … lity.1651/

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: The Poodlebleed Bug (SSLv3 vulnerability)

You can disable SSLv3 in Postfix/Dovecot with below settings.

Disable SSLv3 in Postfix:

# Opportunistic TLS
smtpd_tls_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3

# Mandatory TLS
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

Disable SSLv3 in Dovecot:

ssl_protocols = !SSLv2 !SSLv3

3

Re: The Poodlebleed Bug (SSLv3 vulnerability)

Where would I find those settings to adjust them?

4

Re: The Poodlebleed Bug (SSLv3 vulnerability)

You can find config file locations on this tutorial:
http://www.iredmail.org/docs/file.locations.html