Security Issue on Dovecot 2.0.9

You are here: Index > Webuzo > General Support > Topic : Security Issue on Dovecot 2.0.9

Threaded Mode | Print

Security Issue on Dovecot 2.0.9 (17 Replies, Read 31432 times)

peopleinside	# December 28, 2015, 10:22 pm
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Hi, seems the last version available in webuzo of dovecot is the version 2.0.9 The security issue is: is not possible easily deactivate SSL 3 in the configuration file. I see this topic https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle and say if the Dovecot version is not 2.1 but older you have to edit the dovecot code for disable insecure SSL. I don't know how to do. Please consider to update Dovecot to a most recent version. Thanks. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# December 28, 2015, 10:38 pm \| Post: 1
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Dovecot 2.0.9 needs to be patched and I don't know how to do, better is update please release a new version http://www.dovecot.org/pipermail/dovecot/2014-October/098244.html since dovecot 2.0.9 cannot disable SSLv3 this is a security issue, you must know. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# December 29, 2015, 10:38 am \| Post: 2
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	If I disable SSL 3 and run openssl s_client -connect mail.host.ext:465 -ssl3 seems the result let me think ssl 3 is not disabled on dovecot 2.0.9 ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# December 29, 2015, 1:53 pm \| Post: 3
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	As you can see from this URL article https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle If you scroll down to Dovecot you will be able to read: If you are running a version of Dovecot before 2.1, you will need to edit the source code of Dovecot. A patch is needed Also you can read here: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537 Original description: The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19 This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1]. In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# December 29, 2015, 4:08 pm \| Post: 4
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Please be also sure to have disabled SSL3 everywhere as some other company or panel. http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/ EXIM DOVECOT Pure-FTPd/ProFTPd ETC. Testing for SSLv3 Support you can run the openssl client on your server against the SSL ports. This command is run as follows: openssl s_client -connect localhost:port -ssl3 if it fails (which is what you want) IS OK ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 10, 2016, 9:49 am \| Post: 5
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Any news on the fix? Are you working on it and will released soon? User who use email managed by Webuzo have this security issue is a strong security issue. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 11, 2016, 2:20 pm \| Post: 6
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Seems this has been solved. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 18, 2016, 7:19 pm \| Post: 7
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Sorry, Issue not solved and still present! Strong Security Issue ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

valley	# January 19, 2016, 1:45 pm \| Post: 8
Group: Webuzo Team Post Group: Super Member Posts: 1644 Status:	Dovecot is fetched from the default repo as on your host machine i.e CentOS/Ubuntu. ----------------------- Webuzo : Single User Control Panel Join Webuzo : Facebook Twitter
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 19, 2016, 1:47 pm \| Post: 9
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Quote From : valley January 19, 2016, 1:45 pm Dovecot is fetched from the default repo as on your host machine i.e CentOS/Ubuntu. So? CentOS How to fix? ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

valley	# January 20, 2016, 4:25 am \| Post: 10
Group: Webuzo Team Post Group: Super Member Posts: 1644 Status:	Update CentOS and verify the Dovecot package served from the repo. The Dovecot official page should have this info (installation and setup) ----------------------- Webuzo : Single User Control Panel Join Webuzo : Facebook Twitter
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 20, 2016, 8:27 am \| Post: 11
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Webuzo last Dovecot is 2.0.9 This version is know can't disable SSL 3 so must used a most recent dovecot version. Should be in Webuzo but for Webuzo the last edition of Dovecot is the old 2.0.9 who are affected to SSL 3 issue. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

valley	# January 21, 2016, 4:32 am \| Post: 12
Group: Webuzo Team Post Group: Super Member Posts: 1644 Status:	Oops !!! Webuzo shall probably roll out a custom Dovecot installation soon. Edited by valley : January 21, 2016, 4:32 am ----------------------- Webuzo : Single User Control Panel Join Webuzo : Facebook Twitter
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 21, 2016, 8:45 am \| Post: 13
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Hi valley, comand: PHP Code `dovecot --version` give the results 2.1.1 the 2.0.9 version is showed from Webuzo admin panel if you go under App and search for Dovecot. Webuzo show 2.0.9 as last Dovecot version but if you try to run the command I mentionated on SSH the version showed is different. However also if I have disabled SSL3 on 10-ssl.conf of dovecot seems the SSL 3 test give supported protocol results. I don't know why this happen and I AM investigate with your support. Thanks. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Security Issue on Dovecot 2.0.9

peopleinside	# January 21, 2016, 9:30 am \| Post: 14
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Update: The issue of supported SSL3 seems now to be relative to the EXIM. added on exim.conf this line: PHP Code `tls_require_ciphers = TLS` This solve the SSL 3 security issue, now my server never support SSL3 so you have issue on Exim. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

« Previous Next »

Threaded Mode | Print

Jump To :

Users viewing this topic
	1 guests, 0 users.

All times are GMT. The time now is April 18, 2024, 11:27 pm.

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.

Queries: 11 | Page Created In:0.028