Aug 5, 2024: iRedMail-1.7.1 has been released.

**hawk82** · 2015-01-31 08:21:26

hawk82
Member
Offline

Registered: 2010-02-16
Posts: 9

Topic: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

==== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.6
- Related log if you're reporting an issue: SSLv3
====

Just as an FYI:

I just stood up a new CentOS 6.6 minimal VM and then installed iRedMail and let it grab all necessary packages via Yum. The iRedMail installer script doesn't turn off SSLv3 on Apache when it installs and configures SSL. I had to manually edit /etc/httpd/conf.d/ssl.conf to turn off SSLv3 to prevent the Poodle attack. Postfix and Dovecot seemed to be already secured against the Poodle attack.

https://disablessl3.com/ for more info.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2015-01-31 10:52:45

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Do you have 'SSLProtocol all -SSLv2 -SSLv3' in /etc/httpd/conf/httpd.conf?

**hawk82** · 2015-02-01 01:07:03

hawk82
Member
Offline

Registered: 2010-02-16
Posts: 9

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

What I am saying is that the default iRedMail installation script does not disable SSLv3 in the ssl.conf file when it installs Apache, which it should do to protect from the Poodle attack.

**ZhangHuangbin** · 2015-02-01 08:49:36

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Sorry about the confusion. What I am saying is iRedMail has this setting in /etc/httpd/conf/httpd.conf by default.

**hawk82** · 2015-02-02 04:01:46

hawk82
Member
Offline

Registered: 2010-02-16
Posts: 9

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Well it doesn't work. I checked online here first:
https://www.poodlescan.com/

It said my server was vulnerable. I found the necessary line in the ssl.conf file, edited it, and re-scanned that my server was not vulnerable.

**ZhangHuangbin** · 2015-02-02 11:38:21

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

That's interesting, i have 'SSLProtocols all -SSLv2 -SSLv3' in /etc/httpd/conf/httpd.conf, and don't have it in any other Apache config files, https://www.poodlescan.com/ reports:

* This server does NOT support the SSL v3 protocol.
* This server does NOT support the SSL v2 protocol.

# pwd
/etc/httpd

# grep -r 'SSLProtocol' *
conf/httpd.conf:SSLProtocol all -SSLv2 -SSLv3           # <- just this file
conf.d/ssl.conf:#SSLProtocol all -SSLv2 -SSLv3
conf.d/ssl.conf.2012.05.20.00.49.15:SSLProtocol all -SSLv2
Binary file modules/mod_ssl.so matches

Tested with 2 other online poodle scanners, all report 'not vulnerable to POODLE'.

I see https://www.poodlescan.com/ mentions the scan result will be cached for some minutes, so could you please try again and wait for cache expired?

**7t3chguy** · 2015-02-02 16:00:59

7t3chguy
Forum Moderator
Offline

From: United Kingdom
Registered: 2015-01-08
Posts: 713

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

ZhangHuangbin wrote:

That's interesting, i have 'SSLProtocols all -SSLv2 -SSLv3' in /etc/httpd/conf/httpd.conf, and don't have it in any other Apache config files, https://www.poodlescan.com/ reports:
* This server does NOT support the SSL v3 protocol.
* This server does NOT support the SSL v2 protocol.
# pwd
/etc/httpd

# grep -r 'SSLProtocol' *
conf/httpd.conf:SSLProtocol all -SSLv2 -SSLv3           # <- just this file
conf.d/ssl.conf:#SSLProtocol all -SSLv2 -SSLv3
conf.d/ssl.conf.2012.05.20.00.49.15:SSLProtocol all -SSLv2
Binary file modules/mod_ssl.so matches
Tested with 2 other online poodle scanners, all report 'not vulnerable to POODLE'.
I see https://www.poodlescan.com/ mentions the scan result will be cached for some minutes, so could you please try again and wait for cache expired?

I'm guessing that because the ssl.conf is loaded later, it overrides the initial one. So again allows SSLv3, just remove the line in ssl.conf to remedy this [if the correct line exists within httpd/apache.conf]

**ZhangHuangbin** · 2015-02-02 16:44:01

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Looks like it's a bug in iRedMail-0.9.0, it doesn't comment out (or remove) 'SSLProtocol' line in ssl.conf. I will fix it later.
Thanks for your feedback.

**7t3chguy** · 2015-02-02 16:48:06

7t3chguy
Forum Moderator
Offline

From: United Kingdom
Registered: 2015-01-08
Posts: 713

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

ZhangHuangbin wrote:

Looks like it's a bug in iRedMail-0.9.0, it doesn't comment out (or remove) 'SSLProtocol' line in ssl.conf. I will fix it later.
Thanks for your feedback.

I'd say it's more of a CentOS repository issue, that they ship it with that config, iRedMail shouldn't have to add work arounds for security holes. It is nice that it does though.

**ZhangHuangbin** · 2015-02-02 18:09:50

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

I double checked Apache config files on RHEL/CentOS 6 and 7, default iRedMail setting should be fine.

In /etc/httpd/conf/httpd.conf, we have below settings:

# Load config files in the "/etc/httpd/conf.d" directory, if any.                  
IncludeOptional conf.d/*.conf                                                      

# Disable SSLv3                                                                                                               
SSLProtocol all -SSLv2 -SSLv3

As you can see, all files under /etc/httpd/conf.d/ will be read before the 'SSLProtocol' line added by iRedMail, so SSLProtocol will be already set 'all -SSLv2 -SSLv3'.

Aug 5, 2024: iRedMail-1.7.1 has been released.

Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Posts: 10

1 Topic by hawk82 2015-01-31 08:21:26 (edited by hawk82 2015-01-31 08:51:38)

Topic: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

2 Reply by ZhangHuangbin 2015-01-31 10:52:45

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

3 Reply by hawk82 2015-02-01 01:07:03 (edited by hawk82 2015-02-01 01:07:39)

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

4 Reply by ZhangHuangbin 2015-02-01 08:49:36

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

5 Reply by hawk82 2015-02-02 04:01:46

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

6 Reply by ZhangHuangbin 2015-02-02 11:38:21

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

7 Reply by 7t3chguy 2015-02-02 16:00:59

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

8 Reply by ZhangHuangbin 2015-02-02 16:44:01

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

9 Reply by 7t3chguy 2015-02-02 16:48:06

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

10 Reply by ZhangHuangbin 2015-02-02 18:09:50

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Posts: 10