fetal
January 23, 2013, 5:38pm
1
I’m running into some issues with Dovecot and PCI Compliance.
Specs
CentOS release 6.3 (Final)
dovecot --version
2.0.9
Virtualmin 3.97
Below is the result of the scan:
Security Warning found on port/service “imap (143/tcp)”
Fail (This must be resolved for your device to be compliant).
Plugin “SSL Anonymous Cipher Suites Supported”
Synopsis The remote service supports the use of anonymous SSL ciphers.
Security Warning found on port/service “pop3 (110/tcp)”
Plugin
“SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability”
Synopsis
It may be possible to obtain sensitive information from the remote
host with SSL/TLS-enabled services.
Security Warning found on port/service “imap (143/tcp)”
Fail (This must be resolved for your device to be compliant).
Plugin “SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability”
Synopsis It may be possible to obtain sensitive information from the remote
host with SSL/TLS-enabled services.
What I have now.
ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA
ssl_key etc/pki/dovecot/private/dovecot.pem
userdb
driver = passwd
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
I’ve also tried with these flags
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl = required
#ssl_cipher_list = HIGH:!SSLv2:!aNULL:!MD5!DES:!3DES
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
And still no go. Any suggestions? This is driving me crazy as I only need these 3 to pass.
Thanks in advance!
Hi,
You can read about how to become PCI compliant by visiting:
http://www.virtualmin.com/documentation/security/pci
If you have any questions not covered in that documentation, please feel free to post here.
Best Regards,
Peter Knowles
TPN Solutions
E: pknowles@tpnsolutions.com
P: 604-782-9342
W: http://www.tpnsolutions.com
fetal
January 23, 2013, 8:24pm
3
Thanks for the reply.
I have followed those instructions already, and still seem to fail.
Hi,
Check out this post, and see it helps:
http://jasonbrown.us/blog/disable_weak_cipher_dovecot
Best Regards,
Peter Knowles
TPN Solutions
E: pknowles@tpnsolutions.com
P: 604-782-9342
W: http://www.tpnsolutions.com
fetal
January 25, 2013, 9:10am
5
Thanks, but I also had already tried that.
I was able to get it to work with
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL
Only one left is
Security Warning found on port/service “pop3 (110/tcp)”
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability"
fetal
February 20, 2013, 7:47am
6
Now I’ m having issues with Dovecot same issue as above.
This is what I’ve tried.
#PCI COMPLIANCE
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL
#ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCMi
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3:!SSLv2
SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!aNULL
#ssl_cipher_list = HIGH:MEDIUM:ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
#ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
#ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3
fetal
February 21, 2013, 1:43am
7
I was finally able to get a pass.
This is what I had in my Dovecot conf.
ssl_cipher_list = HIGH:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA:+TLSv1:+SSLv3:!SSLv2:+TLSv1.1:+TLSv1.2