Bug 38468 - SDB: Postfix: Allow to disable the use of SSLv3 (Poodle-Bug)
SDB: Postfix: Allow to disable the use of SSLv3 (Poodle-Bug)
Status: RESOLVED WONTFIX
Product: Z_SDB
Classification: Unclassified
Component: New entries
unspecified
All Linux
: P5 enhancement
: ---
Assigned To: SDB maintainers
:
Depends on: 38044
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-06 17:32 CEST by Sönke Schwardt-Krummrich
Modified: 2020-07-02 17:20 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-05-06 17:32:44 CEST
We should add a SDB article on how to disable SSLv3 on existing UCS mail servers (currently only on fresh installations SSLv3 is disabled).

+++ This bug was initially created as a clone of Bug #38044 +++

Hey there,

On October 14th, 2014, a vulnerability called POODLE (Padding Oracle On Downgraded Legacy Encryption) in version 3 of the SSL encryption protocol was disclosed. This vulnerability allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.

The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3. Because this is a flaw with the protocol design, and not an implementation issue, every piece of software that uses SSLv3 is vulnerable.

--> Postfix SMTP

In case of 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), there is no need to change anything. Even though it's unnecessary, SSLv3 can be disabled for opportunistic encryption as well. This settings are not recommended:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3


In case of 'mandatory SSL' add the smtpd_tls_mandatory_protocols setting for inbound connections and smtp_tls_mandatory_protocols for outbound connections and restart Postfix:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

--> UCS (4.0-1 errata113) Situation

All settings are "postfix defaults" and not changeable via ucr yet.
# postconf |egrep 'smtp_tls_mandatory_protocols|smtpd_tls_mandatory_protocols|smtp_tls_protocols|smtpd_tls_protocols'

smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols =
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols


It would be useful to allow more configuration options. There's already a UCR template: /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls

I am going to write a patch for this issue. I filled this bugreport as an enhancement only, so feel free to rise the severity level ;)

with best regards

Lutz Willek
Comment 1 Ingo Steuwer univentionstaff 2020-07-02 17:20:05 CEST
Changes and improvements for SDB entries aren't tracked in Bugzilla anymore, so I close these entries. Please comment on help.univention.com or get in touch with the Univention Support team in case you have any suggestions for the SDB.