Poodle - SSLv3 still active on SMTP-SSL (port 465) after using Wiki to disable

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
johnroberts
Posts: 31
Joined: Sat Sep 13, 2014 2:43 am

Poodle - SSLv3 still active on SMTP-SSL (port 465) after using Wiki to disable

Postby johnroberts » Thu Oct 16, 2014 4:21 am

Hi,



We have used the Wiki entry:


https://wiki.zimbra.com/wiki/How_to_disable_SSLv3


to disable SSLv3 in Zimbra 8.5 (3042 patch 8.5.0_P2) with Proxy



For the MTA we ran:


zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'


as zimbra then restarted, and checked on port 25 with:


openssl s_client -connect mail.example.com:25 -ssl3 -starttls smtp


and got a good 'ssl handshake failure'.


However the server is still responding to SSLv3 requests on SMTP-SSL port 465 using the following command (from the Wiki):


timeout 3 openssl s_client -connect mail.example.com:465 -ssl3



After completing the Wiki checking all other ports gives the correct 'ssl handshake failure', except port 465 where SSLv3 is still being happily negotiated...


Has anyone any idea why?



Thanks for your time!



dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

Poodle - SSLv3 still active on SMTP-SSL (port 465) after using Wiki to disable

Postby dik23 » Thu Oct 16, 2014 5:58 am

I am getting the same here


However on the very same page there's the "test":


for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done


which gives output that would suggest that it's ok :


Port 993
-su: timeout: command not found
Port 995
-su: timeout: command not found
Port 443
-su: timeout: command not found




My only thought on this is that the "How to disable SSLv3" wiki is borked and needs updating


EDIT:


Apologies, the above was true late last night, but now it's been updated


postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'

Klug
Elite member
Elite member
Posts: 2433
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Poodle - SSLv3 still active on SMTP-SSL (port 465) after using Wiki to disable

Postby Klug » Thu Oct 16, 2014 6:38 am

The wiki page has been updated a couple of hours ago.

The missing config line was in the bugzilla.
florism
Posts: 2
Joined: Thu Sep 25, 2014 3:29 pm

Poodle - SSLv3 still active on SMTP-SSL (port 465) after using Wiki to disable

Postby florism » Thu Oct 16, 2014 7:08 am

The described procedure in the wiki does not work for imap, I can still see ssl V3 enabled on those, https works correctly.
johnroberts
Posts: 31
Joined: Sat Sep 13, 2014 2:43 am

Poodle - SSLv3 still active on SMTP-SSL (port 465) after using Wiki to disable

Postby johnroberts » Thu Oct 16, 2014 8:19 am

Thanks a lot, the missing line (now in the Wiki) was:


postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'


SSLv3 is now also refused on port 465.


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 22 guests