Univention Bugzilla – Bug 38468
SDB: Postfix: Allow to disable the use of SSLv3 (Poodle-Bug)
Last modified: 2020-07-02 17:20:05 CEST
We should add a SDB article on how to disable SSLv3 on existing UCS mail servers (currently only on fresh installations SSLv3 is disabled). +++ This bug was initially created as a clone of Bug #38044 +++ Hey there, On October 14th, 2014, a vulnerability called POODLE (Padding Oracle On Downgraded Legacy Encryption) in version 3 of the SSL encryption protocol was disclosed. This vulnerability allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack. The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3. Because this is a flaw with the protocol design, and not an implementation issue, every piece of software that uses SSLv3 is vulnerable. --> Postfix SMTP In case of 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), there is no need to change anything. Even though it's unnecessary, SSLv3 can be disabled for opportunistic encryption as well. This settings are not recommended: smtpd_tls_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 In case of 'mandatory SSL' add the smtpd_tls_mandatory_protocols setting for inbound connections and smtp_tls_mandatory_protocols for outbound connections and restart Postfix: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 --> UCS (4.0-1 errata113) Situation All settings are "postfix defaults" and not changeable via ucr yet. # postconf |egrep 'smtp_tls_mandatory_protocols|smtpd_tls_mandatory_protocols|smtp_tls_protocols|smtpd_tls_protocols' smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_protocols = !SSLv2 smtpd_tls_mandatory_protocols = !SSLv2 smtpd_tls_protocols = tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols tlsproxy_tls_protocols = $smtpd_tls_protocols It would be useful to allow more configuration options. There's already a UCR template: /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls I am going to write a patch for this issue. I filled this bugreport as an enhancement only, so feel free to rise the severity level ;) with best regards Lutz Willek
Changes and improvements for SDB entries aren't tracked in Bugzilla anymore, so I close these entries. Please comment on help.univention.com or get in touch with the Univention Support team in case you have any suggestions for the SDB.