1 (edited by tyllee 2014-10-19 16:33:52)

Topic: Poodle deb 6

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Deb 6
- Related log if you're reporting an issue:
====

How should I protect my deb 6 system?

Is this the way to go?

Apache:
SSLProtocol all -SSLv2 -SSLv3

Postfix:
postconf -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3'
postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'

Dovecot:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Poodle deb 6

For Dovecot-2.x, you should use 'ssl_protocols = !SSLv2 !SSLv3' instead.

3 (edited by tyllee 2014-10-19 15:15:24)

Re: Poodle deb 6

Deb 6 is running:

dovecot --version
1.2.15

According to this site I have to: edit the source code of Dovecot

https://linode.com/docs/security/securi … for-poodle
If you are running a version of Dovecot before 2.1, you will need to edit the source code of Dovecot.

4

Re: Poodle deb 6

You're right, for Dovecot-1.x, you need this:

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3

5 (edited by tyllee 2014-10-19 16:32:39)

Re: Poodle deb 6

When I add the line and restart dovecote my clients can't connect.
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3

# openssl ciphers -v 'ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM'
Error in cipher list
20806:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1218:

Shouldn't I get TLS output?


# openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

6

Re: Poodle deb 6

tyllee wrote:

When I add the line and restart dovecote my clients can't connect.

Which secure connection does your client use? TLS? or SSL?

7 (edited by tyllee 2014-10-19 23:09:07)

Re: Poodle deb 6

According to thunderbird it is using STARTTLS for IMAP (143) and SMTP (587).

https://www.checktls.com/perl/TestReceiver.pl

000.843]        We can use this server
[000.843]        TLS is an option on this server
[000.844]    -->    STARTTLS
[000.987]    <--    220 2.0.0 Ready to start TLS
[000.988]        STARTTLS command works on this server
[001.304]        Cipher in use: DHE-RSA-AES256-SHA
[001.305]        Connection converted to SSL



ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3

#openssl s_client -connect iredmail.srv:993
OUTPUT:
CONNECTED(00000003)

Without ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3
openssl s_client -connect iredmail.srv:993

OUTPUT:
SSL handshake has read 3160 bytes and written 715 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA


In the source code of dovecot 1.2.17 i find this:

SSL/TLS
-------

Dovecot used to support both GNUTLS and OpenSSL libraries, but nowadays
only the OpenSSL code is working.

Could this mean something?

Post's attachments

tls.png
tls.png 18.42 kb, 1 downloads since 2014-10-19 

You don't have the permssions to download the attachments of this post.

8

Re: Poodle deb 6

Upgrading to dovecot 2.1 could be a solution.

ZhangHuangbin: Do you think this backport upgrade would work with iRedmail?

apt-get -t squeeze-backports install dovecot-common
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-sqlite
Suggested packages:
  dovecot-managesieved ntp dovecot-lmtpd dovecot-solr
The following NEW packages will be installed:
  dovecot-core dovecot-gssapi dovecot-ldap dovecot-mysql dovecot-pgsql dovecot-sieve dovecot-sqlite
The following packages will be upgraded:
  dovecot-common dovecot-imapd dovecot-pop3d
3 upgraded, 7 newly installed, 0 to remove and 41 not upgraded.
Need to get 5,973 kB of archives.
After this operation, 5,172 kB disk space will be freed.
Do you want to continue [Y/n]? n
Abort.

9

Re: Poodle deb 6

Sorry, i'm confused what issue you're trying to solve.
To disable SSLv3 support in Dovecot-1.x? If yes, for dovecot-2.1 and later releases:

ssl_protocols = !SSLv3 !SSLv2

For dovecot-1.x and 2.0.x, set the ssl_cipher_list to disallow SSLv3 like this:

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3

Then test it:

# openssl s_client -connect localhost:993 -ssl3

10 (edited by tyllee 2014-10-23 14:54:12)

Re: Poodle deb 6

dovecot.conf
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3

dovecot restart

Output:
# openssl s_client -connect localhost:993 -ssl3
connect: Connection refused
connect:errno=61

OK, the clients can't connect now. What settings should I put into thunderbird?

11

Re: Poodle deb 6

Reference: http://iredmail.org/docs/configure.thunderbird.html

12 (edited by tyllee 2014-10-23 15:15:18)

Re: Poodle deb 6

Then it's not working.

The solution I've will try is backport-upgrade from dovecot 1.2 to 2.1

Do you see any trouble in this upgrade and iRedMail running on a deb 6?
The following extra packages will be installed:
  dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-sqlite


Command:
apt-get -t squeeze-backports install dovecot-common
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-sqlite
Suggested packages:
  dovecot-managesieved ntp dovecot-lmtpd dovecot-solr
The following NEW packages will be installed:
  dovecot-core dovecot-gssapi dovecot-ldap dovecot-mysql dovecot-pgsql dovecot-sieve dovecot-sqlite
The following packages will be upgraded:
  dovecot-common dovecot-imapd dovecot-pop3d
3 upgraded, 7 newly installed, 0 to remove and 41 not upgraded.
Need to get 5,973 kB of archives.
After this operation, 5,172 kB disk space will be freed.
Do you want to continue [Y/n]? n
Abort.

13

Re: Poodle deb 6

To upgrade dovecot-1.x to 2.x, i suggest you check this tutorial first:
http://www.iredmail.org/forum/topic4493 … tos-5.html

14 (edited by tyllee 2014-10-27 14:58:09)

Re: Poodle deb 6

Dovecot1 to Dovecot2 guide
http://www.iredmail.org/forum/topic4493 … tos-5.html

The Guide:
# Make sure per-user sieve filters can be read/write.
sieve_dir = /%Lh/sieve
sieve = /%Lh/sieve/dovecot.sieve

Deb6 srv
Dovecot.conf (1.2.15) old conf

    # Per-user sieve mail filter.
    plugin {
    # For maildir format.
    #sieve = /var/vmail/sieve/%Ld/%Ln/dovecot.sieve
    sieve = /%Lh/sieve/dovecot.sieve


    # The path to the directory where the personal Sieve scripts are stored. For
    # ManageSieve this is where the uploaded scripts are stored.
    sieve_dir = /var/vmail/sieve/%Ld/%Ln


    # Location of the active script. When ManageSieve is used this is actually
    # a symlink pointing to the active script in the sieve storage directory.
    sieve = /var/vmail/sieve/%Ld/%Ln/dovecot.sieve
   
   
Deb7 srv
Dovecot.conf (2.1) new conf

    # Pigeonhole managesieve service.
    # Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
    # Per-user sieve settings.
    sieve_dir = /var/vmail/sieve/%Ld/%Ln
    sieve = /%Lh/sieve/dovecot.sieve
   
   

Question:
What should I put in my new config. I'm litle confused about the parameters below:
sieve_dir =
sieve =

15

Re: Poodle deb 6

It's below value by default:

sieve_dir = /%Lh/sieve

If your old per-user sieve directory is not the same as this one, you can either keep old setting or (use new setting and move sieve files to new directory to match new settings).