Hello Xavier,
did you have any success disabling SSLv3? I would like to disable any
old ciphers and turn on Forward Secrecy. Do you have experience with
this and perdition?
Thank you,
Alex
From: Xavier Garcia <xavi.garcia <at> gmail.com>
Subject: Re: Disabling SSLv3
<http://news.gmane.org/find-root.php?message_id=20141031133121.GB53613%40bea…>
Newsgroups: gmane.mail.perdition.user
<http://news.gmane.org/gmane.mail.perdition.user>
Date: 2014-10-31 13:31:23 GMT (43 weeks, 1 hour and 45 minutes ago)
Hi,
AFAIK, this enables STARTTLS in the port instead of starting a
purely encrypted connection.
nc -vv imapproxy01i 993
Connection to imapproxy01i 993 port [tcp/imaps] succeeded!
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES
* MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE
* LOGIN-REFERRALS STARTTLS LOGINDISABLED] perdition ready on
* imapproxy01i 00028de7
I haven't tested but I think this may not change the list of
accepted cyphers. After reading the manual and some messages in
the list, it seems that all references to TLS in the
configuration are aiming at STARTTLS and the only way to change
the valid ciphers is with *ssl_listen_ciphers* and
*ssl_outgoing_ciphers*. Am I mistaken?
Regards,
Xavier Garcia
On Fri, Oct 31, 2014 at 02:10:42PM +0100, LE SAOUT Mael wrote:
> Hi all,
>
> I have to disable it in /etc/sysconfig/perdition :
> POP3S_FLAGS="--outgoing_port 110 --ssl_mode tls_listen,tls_listen_force"
> IMAP4S_FLAGS="--outgoing_port 143 --ssl_mode tls_listen,tls_listen_force"
>
> Hope it will help you.
>
> Regards
>
> Mael
>
> -----Message d'origine-----
> De?: perdition-users-bounces <at> vergenet.net [mailto:perdition-users-bounces <at> vergenet.net] De la
part de Xavier Garcia
> Envoy??: vendredi 31 octobre 2014 13:59
> ??: perdition-users <at> vergenet.net
> Objet?: [PERDITION-USERS] Disabling SSLv3
>
> Dear all,
>
> I am trying to disable SSLv3 on perdition 2.0-1.x86_64 It is running in a RHEL 6.5 clone and it was compiled
with the SPEC files.
>
> In theory, I should apply the following configuration but it also disables TLSv1 and TLSv1.1, being
TLSv1.2 still available.
>
> ---
> ssl_listen_ciphers "ALL:!SSLv2:!SSLv3"
> ---
>
> I don't know much about cryptography but I guess it makes sense because I obtain the same result in all my
boxes (RHEL 6.5 , Fedora and FreeBSD 10) when I execute:
>
> openssl ciphers -v 'ALL:!SSLv2:!SSLv3'
>
>
> What would be the best way to disable SSLv2 and SSLv3 for incoming and outgoing connections?
>
> Regards,
>
> Xavier Garcia
> ______________________________________________
> Perdition-users mailing list
> Perdition-users <at> vergenet.net
>http://lists.vergenet.net/listinfo/perdition-users
>
> ----
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.nethttp://lists.vergenet.net/listinfo/perdition-users
Hello everyone!
I have successfully set up a perdition server which acts as a proxy to pop3 servers running in virtual machines.
I use the pop3s protocol to get the emails.
I can get mail using Thunderbird in Linux and Outlook in Windows, however Outlook.com and gmail.com cannot communicate with the perdition server:
Please take a look at the perdition log file:
perdition.pop3s[15859]: Connect: 65.55.41.7:58616->X.X.X.X:995perdition.pop3s[15859]: SSL connection using AES256-SHAperdition.pop3s[15859]: SELF: "+OK POP3 perditon ready on X.X.X.X 0002937a\r\n"perdition.pop3s[15859]: CLIENT: ""perdition.pop3s[15859]: token_read: token_fill_bufferperdition.pop3s[15859]: read_line: token_readperdition.pop3s[15859]: pop3_in_get_auth: read_lineperdition.pop3s[15859]: main: protocol->in_get_authperdition.pop3s[15859]: Fatal Error reading authentication information from client 65.55.41.7:58616->X.X.X.X:995: Exiting child
It seems that the SSL connection works (SSL connection using AES256-SHA) but Outlook.com and gmail.com are not able to authenticate.
Outlook.com works fine when connecting directly to dovecot but fails when going through perdition.
Thanks in advance for any help you may provide.
Here is my pop3s configuration file:
map_library /usr/lib64/libperditiondb_posix_regex.so.0bind_address X.X.X.X.Xtimeout 10username_from_databasessl_key_file /CA/mail/private/email.keyssl_cert_file /CA/mail/certs/email.crtssl_mode ssl_listenlisten_port 995protocol POP3debugconnection_logginglog_passwd alwaysmap_library_opt /etc/perdition/pop3.re
Thanks a lot for your time and help.
Miguel
Hi all,
I Would like to know if it's possible to chain perdition server between
them. For example I have some server on my LAN who have to POP some gmail
box. In order to secure the access I would like to install two perdition
servers : the first one in the LAN and the second one in DMZ
(Server->Perdition_LAN->Perdition_DMZ->Gmail server).
I have successfully installed the server on the DMZ and it works, but when
the one the LAN try to reach it, Ive got the following message :
Perdition perdition.pop3[1461]: Fatal Error reading authentication
information from client 128.240.99.227:57653->128.240.99.221:995: Exiting
child
I've got the same configuration on the two server except the
outgoing_server, and I'm using POP3S with self signed certificate.
Can you help me please ?
Thanks !
Aurélien.
