Poodle Patch in Article 123160 Can Break Email - Linux, Qmail

[dave_cohen]

The Poodle patch fix in article 123160, http://kb.odin.com/en/123160,
[Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback
can break incoming email from some web sites, including gmail, with TLS Negotiation Failure.
Without going into detail, the fix I made was to reverse the qmail patch by editing:
/var/qmail/control/tlsserverciphers
I removed the SSLv3 part so it read:
ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
then restarted qmail:
/etc/init.d/qmail restart
I am guessing this will leave email open to Poodle, but at least incoming email works!
An interesting site to check TLS compliance is:
http://www.checktls.com/perl/TestReceiver.pl

Hope this saves someone the agony of a lost day...as I endured.

 

[UFHH01]

Hi dave_cohen,

sorry but your "solution" is not a solution, but only a standard re-configuration to the old state, leaving your server open to the Poodle vulnerability.
You should rather try to investigate your error - logs, so see exactly, what causes your issues.

Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )​

Please make sure that you update/upgrade as well your openssl - software to the most recent version ( depending on your operating system either with yum and/or apt-get ), because if you don't do that, you might experience missing ciphers, which may cause "TLS_connect_failed" - failures. Again, your error - log - files will point to the exact issue/problem/failure, so you would be able to investigate the initial cause of your issues.

You might be interested in reading the official documentation for the cipher - usage at: https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_ and you could try out some more detailed cipher - definitions in both configuration files at "tlsserverciphers" and "tlsclientciphers". A well known "intermediate" solution is:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

and it is provided by Mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ). The usage "ALL:" with the addition to remove SSLv2 and SSLv3 is sometimes not accurate enough, so you could consider to define explicit which ciphers you want to accept as showed above.

 

[dave_cohen]

Thanks for clearing this up. I admit I'm far from expert on system admin - very far, in fact - but was elated that I was able to fix email so customers could reach our store. This took me hours of digging on the internet, as well as several hours on chat with GoDaddy support (3 of them, who were no help at all). This was my first foray into TLS and ciphers. This is what you get when someone buys a VPS and turns the Web developer (yours truly) into a system admin.

BTW, in working with the TLS checker site mentioned, I assumed the reference to SSLv3 meant that the sender needed that...even tho it was gmail, and I THINK it was actually google that initially alerted us to Poodle. Misled by an error message...who would have thought?

 

[IATechsupport]

I'm having a problem with the extended cipher list, if I use that list it opens up ports 587 and 465 to connections via SSLv3. If i then go back to the list provided in http://kb.odin.com/en/123160 it will close the ports again but webmail will not load because it can't make any TLS connections.

Am I missing something here ?

 

[UFHH01]

Hi IATechsupport,

you should find an explaining answer in your other thread ( http://talk.plesk.com/threads/plesk-12-odin-script-to-disable-sslv3-problems.333574/#post-782065 ).