Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5, 6, and 7
  • Postfix
  • Dovecot

Issue

  • How to disable SSL 3.0 and other weak protocols in Postfix and Dovecot

Resolution

Dovecot

  • Red Hat Enterprise Linux 7 (dovecot-2.2.x)

To disable SSL 3.0 and SSL 2.0 in Dovecot on Red Hat Enterprise Linux 7, add the following line to the /etc/dovecot/conf.d/10-ssl.conf file

ssl_protocols = !SSLv2 !SSLv3

You must restart (not only reload) the dovecot service for this change to take effect using systemctl restart dovecot.service.

  • Red Hat Enterprise Linux 6 (dovecot-2.0.x), Red Hat Enterprise Linux 5 (dovecot-1.0.x)

Dovecot as included in Red Hat Enterprise Linux 5 and 6 does not support the disabling of arbitrary SSL protocols; only Dovecot version 2.1 and later support this functionality. In order to disable SSL 3.0, you must recompile the dovecot package without SSL 3.0 support. Support for disabling arbitrary SSL protocols may be included in Dovecot in Red Hat Enterprise Linux 5 and 6 via a future update.

Postfix

  • Red Hat Enterprise Linux 6 (postfix-2.6.x), Red Hat Enterprise Linux 7 (postfix-2.10.x)

To disable SSL 3.0 and SSL 2.0 in Postfix on Red Hat Enterprise Linux 6 and 7, add the following lines to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3

These configuration options disable SSL 3.0 and 2.0 for both mandatory and opportunistic TLS encryption originating from both the Postfix SMTP server and the Postfix SMTP client. Note that mandatory TLS encryption must be specifically enabled with the smtpd_enforce_tls = yes configuration option for Postfix SMTP servers, and the smtp_enforce_tls = yes configuration option for Postfix SMTP clients.

Note: If you change the either of the Postfix configuration option above to include !SSLv3, your servers may fail to receive data from certain delivery agents that only support SSL 3.0.

You must restart (not only reload) the postfix service for this change to take effect using service restart postfix on Red Hat Enterprise Linux 6 and systemctl restart postfix.service on Red Hat Enterprise Linux 7.

  • Red Hat Enterprise Linux 5 (postfix-2.3.x)

To disable SSL 3.0 and SSL 2.0 in Postfix on Red Hat Enterprise Linux 5, add the following lines to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_protocols = TLSv1

These configuration options only enable TLSv1 for mandatory TLS encryption originating from both the Postfix SMTP server and the Postfix SMTP client. Note that mandatory TLS encryption must be specifically enabled with the smtpd_enforce_tls = yes configuration option for Postfix SMTP servers, and the smtp_enforce_tls = yes configuration option for Postfix SMTP clients.

Note: If you change the either of the Postfix configuration option above to only allow TLSv1, your servers may fail to receive data from certain delivery agents that only support SSL 3.0.

You must restart (not only reload) the postfix service for this change to take effect using service restart postfix.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

4 Comments

This bit:
Dovecot as included in Red Hat Enterprise Linux 5 and 6 does not support the disabling of arbitrary SSL protocols;

Might now need some updates in light of:
https://rhn.redhat.com/errata/RHEA-2014-1898.html

Link https://rhn.redhat.com/errata/RHEA-2014-1898.html is only related to RHEL5.

What about RHEL6? The newest version currently available is 1:2.0.9-7.el6_5.1 which was bouilt 2014-06-11. For sure not related to POODLE.

I dont understand why RH released RHEA for 5.11 which is finishing its life and not for RHEL6.
Also I dont understand why RH reply is to compile code on our own. If I will mess the code will RH still support this as this was official guide?

This is fixed in RHEL 6 as of RHBA-2015:0003:

        : In addition, this update adds the following
        : enhancement:
        :
        : * With this update, it is possible to configure
        :   which Secure Sockets Layer (SSL) protocols
        :   dovecot allows. Among other things, this allows
        :   users to disable SSLv3 connections and thus
        :   mitigate the impact of the POODLE vulnerability.
        :   Due to security concerns, SSLv2 and SSLv3 are
        :   now also disabled by default, and they have to
        :   be allowed manually if the user needs them.
        :   (BZ#1174158)

For Dovecot in RHEL5 BZ#1153027 applies. See https://rhn.redhat.com/errata/RHEA-2014-1898.html

Edit: I see now that this was mentioned two posts above. I will make an update.