Securing Baruwa against POODLE SSLv3 vulnerability

October 17, 2014 at 04:30 AM | categories: Baruwa Enterprise, Security, Baruwa, Baruwa 2.0

Baruwa Security Team has been made aware of a vulnerability in the SSLv3 protocol, which has been assigned CVE-2014-3566 and commonly referred to as 'POODLE'. All implementations of SSLv3 are affected.

For users of the Baruwa Enterprise Edition only SMTP is affected, the default configuration shipped for web services is not affected as we dropped support for SSLv3 last year.

For users of the community Edition may be affected depending on how they have setup their web and smtp services.

Resolution

To disable SSLv3 add the following to the main section of /etc/exim/exim.conf and /etc/exim/exim_out.conf:

openssl_options =  -all +no_sslv3

Then restart MailScanner:

service mailscanner restart

Users of puppet please use the manual instructions above, future updates of the puppet tooster will contain the fix.

For users of the community edition please use the following links to fix the web service.

Testing

You can test your HTTPS and SMTP servers by running the following commands

HTTPS

openssl s_client -connect baruwa.example.com:443 -ssl3

SMTP STARTTLS

openssl s_client -connect baruwa.example.com:25 -ssl3 -starttls smtp
openssl s_client -connect baruwa.example.com:587 -ssl3 -starttls smtp

SMTPS

openssl s_client -connect baruwa.example.com:465 -ssl3

You should get a handshake failure if your system has been updated.

Support

Users of the Enterprise edition can contact support if they run into any issues or post to the Enterprise mailing list.

Users of the community edition should use the community edition mailing list to post any issues.