• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Poodle Patch in Article 123160 Can Break Email - Linux, Qmail

dave_cohen

New Pleskian
The Poodle patch fix in article 123160, http://kb.odin.com/en/123160,
[Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback
can break incoming email from some web sites, including gmail, with TLS Negotiation Failure.
Without going into detail, the fix I made was to reverse the qmail patch by editing:
/var/qmail/control/tlsserverciphers
I removed the SSLv3 part so it read:
ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
then restarted qmail:
/etc/init.d/qmail restart
I am guessing this will leave email open to Poodle, but at least incoming email works!
An interesting site to check TLS compliance is:
http://www.checktls.com/perl/TestReceiver.pl

Hope this saves someone the agony of a lost day...as I endured.
 
Hi dave_cohen,

sorry but your "solution" is not a solution, but only a standard re-configuration to the old state, leaving your server open to the Poodle vulnerability.
You should rather try to investigate your error - logs, so see exactly, what causes your issues.


Please make sure that you update/upgrade as well your openssl - software to the most recent version ( depending on your operating system either with yum and/or apt-get ), because if you don't do that, you might experience missing ciphers, which may cause "TLS_connect_failed" - failures. Again, your error - log - files will point to the exact issue/problem/failure, so you would be able to investigate the initial cause of your issues.

You might be interested in reading the official documentation for the cipher - usage at: https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_ and you could try out some more detailed cipher - definitions in both configuration files at "tlsserverciphers" and "tlsclientciphers". A well known "intermediate" solution is:
Code:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
and it is provided by Mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ). The usage "ALL:" with the addition to remove SSLv2 and SSLv3 is sometimes not accurate enough, so you could consider to define explicit which ciphers you want to accept as showed above.
 
Thanks for clearing this up. I admit I'm far from expert on system admin - very far, in fact - but was elated that I was able to fix email so customers could reach our store. This took me hours of digging on the internet, as well as several hours on chat with GoDaddy support (3 of them, who were no help at all). This was my first foray into TLS and ciphers. This is what you get when someone buys a VPS and turns the Web developer (yours truly) into a system admin.

BTW, in working with the TLS checker site mentioned, I assumed the reference to SSLv3 meant that the sender needed that...even tho it was gmail, and I THINK it was actually google that initially alerted us to Poodle. Misled by an error message...who would have thought?
 
I'm having a problem with the extended cipher list, if I use that list it opens up ports 587 and 465 to connections via SSLv3. If i then go back to the list provided in http://kb.odin.com/en/123160 it will close the ports again but webmail will not load because it can't make any TLS connections.

Am I missing something here ?
 
Back
Top