Poodlebleed bug

[chrisf]

These port assignments are specified by the **Internet Assigned Numbers Authority (IANA)**:

 - Port 587: **[SMTP] Message submission** (SMTP-MSA), a service that accepts submission of email from email clients (MUAs). Described in RFC 6409.
 - Port 465: **URL Rendesvous Directory for SSM** [sic] *(entirely unrelated to email)*

Historically, port 465 was initially planned for the **SMTPS** encryption and authentication “wrapper” over SMTP, but it was quickly deprecated (within months, and over 15 years ago) in favor of **STARTTLS** over SMTP (RFC 3207). Despite that fact, there are probably many servers that support the deprecated protocol wrapper, primarily to support older clients that implemented SMTPS. Unless you need to support such older clients, SMTPS and its use on port 465 should remain nothing more than an historical footnote.

The hopelessly confusing and imprecise term, **SSL**, has often been used to indicate the **SMTPS** wrapper and **TLS** to indicate the **STARTTLS** protocol extension.

For completeness:

 - Port 25: **Simple Mail Transfer** (SMTP-MTA), a service that accepts submission of email from other servers (MTAs or MSAs). Described in RFC 5321.

Sources:

 - IANA *[Service Name and Transport Protocol Port Number Registry][1]*
u - “[Revoking the smtps TCP port][2]” - Email from Internet Mail Consortium director Paul Hoffman, 12 Nov 1998.
 - [RFC 6409 - Message Submission for Mail][3]
 - [RFC 5321 - Simple Mail Transfer Protocol][4]
 - [RFC 3207 - SMTP Service Extension for Secure SMTP over Transport Layer Security][5]
 - [RFC 4607 - Source-Specific Multicast for IP][6]


 1 http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
 2 http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html
3  http://www.rfc-editor.org/rfc/rfc6409.txt
4  http://www.rfc-editor.org/rfc/rfc5321.txt
5  http://www.rfc-editor.org/rfc/rfc3207.txt
6  http://www.rfc-editor.org/rfc/rfc4607.txt

We should delete /var/qmail/supervise/smtp-ssl directory/files, port 465 has been depreciated for over a decade.

[MRatWork]

SMTP is only one aspect. IMAP4 and POP3 need adjustment SSL/TLS protocol too.

[chrisf]

I know, see reply

http://forum.mratwork.com/kloxo-mr-bugs-and-requests/poodlebleed-bug/msg37876/#msg37876

However, that is not enough.  Something wrong in configuration of courier.  I am testing.

[Spacedust]

What about pure-ftpd ? It's also using SSL !

[Spacedust]

If /var/qmail/control/tlshosts/exhaustivelist is present,
            the lists of hosts in /var/qmail/control/tlshosts is
            an exhaustive list of hosts TLS is tried on.
            If /var/qmail/control/notlshosts/host.dom.ain is present,
            no TLS is tried on this host.

We have to remove that folder now - to force TLS on all hosts

[Spacedust]

Info From DirectAdmin:

To fix Pure-FTPd,

Edit the files /etc/init.d/pure-ftpd  and /usr/libexec/pureftpd_startscript, and modify the start options as shown below:

OPTIONS="${OPTIONS} -Y 1 -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3"

- See more at: http://bobcares.com/blog/protecting-your-directadmin-server-from-sslv3-poodle-vulnerability-guide-to-mitigate-cve-2014-3566-by-disabling-ssl-3-0-in-exim-apache-nginx-pure-ftpd-proftpd-amd-dovecot/#sthash.SfwcmRcm.dpuf

[Spacedust]

It should look like this (needs testing):

service ftp
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/pure-ftpd
        server_args     = -A -c5000 -C8 -D -fftp  -H -I15 -lpuredb:/etc/pure-ftpd/pureftpd.pdb -lunix -L10000:8 -m4 -s -p30000:50000 -U133:022 -u100 -E -Oclf:/var/log/pureftpd.log -g/var/run/pure-ftpd.pid -k99 -Z -Y 1 -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
        groups          = yes
        flags           = REUSE
}

[Spacedust]

We should disable SSL in Qmail on port 465 too !

Please see: https://qmail.jms1.net/tls-auth.shtml

We need to force TLS and disable SSL !

[Spacedust]

This works well and it's very secure:

IP=0
PORT=465

### MR -- SSL must using SMTPS=1 and SSL=1 but non-SSL only SSL=0 (without SMTPS=0)
export SMTPAUTH="!" \
        SMTPS=1 \
        SSL=0 \
        REQUIRE_AUTH=0 \
        FORCE_TLS=1 \
        DENY_TLS=0 \
        AUTH=1 \
        REQUIRE_AUTH=0 \
        ALLOW_INSECURE_AUTH=0

### MR -- spamhaus.org recommended for not using $RBLSMTPD $BLACKLIST entry before $SMTPD
exec $SOFTLIMIT \
        /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" $IP $PORT $RECORDIO \
        $SPAMDYKE $RBLSMTPD $SMTPD $VCHKPW /bin/true 2>&1