Article ID: 123294, created on Oct 27, 2014, last review on Apr 24, 2016

  • Applies to:
  • Operations Automation 6.0
  • Operations Automation 5.5
  • Operations Automation 5.4

Symptoms

How to close CVE-2014-3566 vulnerability on Qmail server in POA infrastructure?

Cause

SSLv3 cannot be switched off by modifying some configuration file.

Resolution

To disable SSLv3 on Courier IMAP/POP3 service the following request to PA development has been created:

POA-88755

Temporary workaround is to modify initial script for courier-imap:

[root@qmail ~]# diff /etc/init.d/courier-imap /etc/init.d/courier-imap.modif
41c41,44
<       TLS_CERTFILE=$CERT_ROOT/pop3d.pem \
---
>       TLS_CERTFILE=$CERT_ROOT/pop3d.pem  \
>       TLS_PROTOCOL=TLS1 \
>       TLS_STARTTLS_PROTOCOL=TLS1 \
>       TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH" \
50a54,56
>         TLS_PROTOCOL=TLS1 \
>         TLS_STARTTLS_PROTOCOL=TLS1 \
>         TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH" \

With this modification SSLv3 connection becomes impossible but TLS1 works:

[root@qmail ~]# openssl s_client -tls1 -connect 203.0.113.2:995
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0

[root@qmail ~]# openssl s_client -tls1 -connect 203.0.113.2:993
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0

Also, please note that there is no exploit for non-browser services like courier-imap or proftpd

Please refer to the following article to disable SSLv3 on other services.

Search Words

I want to disable SSLv2 and SSLv3 for imap-ssl and pop3-ssl and STARTTLS(submission)

poodle

qmail

-

Courier/Qmail vulnerable to sslv2/sslv3 (Poodle and Drown)

imap starttls

Disable SSLv2 + SSLv3 on qmail

ac82ce33439a9c1feec4ff4f2f638899 caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e 5b048d9bddf8048a00aba7e0bdadef37 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF