Aug 5, 2024: iRedMail-1.7.1 has been released.

**cre8r** · 2014-10-16 09:08:32

cre8r
Member
Offline

Registered: 2014-03-25
Posts: 47

Topic: The Poodlebleed Bug (SSLv3 vulnerability)

==== Required information ====
- iRedMail version: iRedAdmin-Pro v1.8.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): (MySQL)
- Linux/BSD distribution name and version: 12.04.1 LTS, Precise Pangolin
- Related log if you're reporting an issue: N/A
====

Hi All,
Just wanted everyone to be aware of The Poodlebleed Bug.
"Poodlebleed is a vulnerability in the design of SSL version 3.0. Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows the decryption to plaintext of secure connections."

Watch for compromised accounts!

Here is some information:
http://poodlebleed.com/
https://community.centminmod.com/thread … lity.1651/

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2014-10-17 19:14:54

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: The Poodlebleed Bug (SSLv3 vulnerability)

You can disable SSLv3 in Postfix/Dovecot with below settings.

Disable SSLv3 in Postfix:

# Opportunistic TLS
smtpd_tls_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3

# Mandatory TLS
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

Disable SSLv3 in Dovecot:

ssl_protocols = !SSLv2 !SSLv3

**snarfies** · 2014-11-01 00:17:49

snarfies
Member
Offline

Registered: 2012-09-16
Posts: 27

Re: The Poodlebleed Bug (SSLv3 vulnerability)

Where would I find those settings to adjust them?

**ZhangHuangbin** · 2014-11-03 08:07:23

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: The Poodlebleed Bug (SSLv3 vulnerability)

You can find config file locations on this tutorial:
http://www.iredmail.org/docs/file.locations.html

Aug 5, 2024: iRedMail-1.7.1 has been released.

[ Closed ] The Poodlebleed Bug (SSLv3 vulnerability)

Posts: 4

1 Topic by cre8r 2014-10-16 09:08:32

Topic: The Poodlebleed Bug (SSLv3 vulnerability)

2 Reply by ZhangHuangbin 2014-10-17 19:14:54

Re: The Poodlebleed Bug (SSLv3 vulnerability)

3 Reply by snarfies 2014-11-01 00:17:49

Re: The Poodlebleed Bug (SSLv3 vulnerability)

4 Reply by ZhangHuangbin 2014-11-03 08:07:23

Re: The Poodlebleed Bug (SSLv3 vulnerability)

Posts: 4