Security : Postfix and Dovecot vulnerable to POODLE, fix your configuration

Checking my mailbox setup sending a mail to mailtest@unlocktheinbox.com I’ve been warned that Yunohost Postfix and Dovecot configuration are vulnerable to POODLE, as they allow connexion trough SSLv3.

if you want to read more about it in english or in french

POSTFIX

It can be fixed disabling the SSLV3 protocol for both packages. You will need to adjust your configuration adding the following line

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

You’ll want to look in the # TLS parameters section of /etc/postfix/main.cf. This will force Postfix SMTP to not use SSLv3 or SSLv2. You will also need to restart Postfix:

sudo service postix restart

DOVECOT

the following fix only works with Dovecot versions 2.1 and above. (Yunohost has 2.1.7 version installed)

You should modifiy the /etc/dovecot/dovecot.conf configuration file and add the following line

ssl_protocols = !SSLv2 !SSLv3

Right after the ssl_key line, so it will look like

ssl_key = </etc/ssl/private/yunohost_key.pem
ssl_protocols = !SSLv2 !SSLv3

then you can restart dovecot

sudo service dovecot restart

thanks for the advice, would you like to make a pull requet to the install script ? I would have liked to tell which one is it, but I don’t really understand how the whole thing is organised :]
Good luck

Hi tebo,

Just made two pull requests.

Will see what do they say :))

Hey,
thanks for the tip!
Anyway to change the method of login from method=PLAIN
Or is safe using this default method?
if i tail -300 /var/log/mail.log
i have someone from the same ip trying to login many times for day
postfix/smtpd[12746]: connect from unknown [IP]
warning: unknown[IP]: SASL LOGIN authentication failed
and this ip is not the normal scanners…
So im a little worried :neutral_face: