1

Topic: Logjam Attack

Already some howto's to fix this on iRedmail?

info: https://weakdh.org/

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Logjam Attack

Thanks for sharing. [damn, another critical security issue.]

3

Re: Logjam Attack

https://weakdh.org/sysadmin.html has VERY handy tips on how to correct the problem - I just put 0.9.1 with nginx up, migrating from an older iRedMail version.  Applying the advice on that page got me to an "A" on the Qualys SSL test page, and no problems found on the weak DH page.

Simple and easy step-by-step on that page (just remember to add a semicolon at the end of the ssh_dhparam line in nginx config file, which BTW is in /etc/nginx/conf.d/default.conf, not in the directory given on that page)

4

Re: Logjam Attack

Also note you can use nmap to enumerate ciphers on a port, such as for IMAP:

sudo nmap --script ssl-enum-ciphers -p 993 mail.EXAMPLE.net

5 (edited by iperkins 2015-05-21 01:42:42)

Re: Logjam Attack

Changing or adding the following lines in /etc/httpd/conf.d/ssl.conf changed my grade on the Qualys SSL test page from a C to an A (Apache 2.2 on Centos 6)

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLInsecureRenegotiation off
SSLHonorCipherOrder on

Thanks for the heads up

6

Re: Logjam Attack

Commit to fix this issue in iRedMail, we will release a new iRedMail release soon.
https://bitbucket.org/zhb/iredmail/comm … 6a8860a2ca