• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Poodle Patch in Article 123160 Can Break Email - Linux, Qmail

D

dave_cohen

New Pleskian
The Poodle patch fix in article 123160, http://kb.odin.com/en/123160,
[Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback
can break incoming email from some web sites, including gmail, with TLS Negotiation Failure.
Without going into detail, the fix I made was to reverse the qmail patch by editing:
/var/qmail/control/tlsserverciphers
I removed the SSLv3 part so it read:
ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
then restarted qmail:
/etc/init.d/qmail restart
I am guessing this will leave email open to Poodle, but at least incoming email works!
An interesting site to check TLS compliance is:
http://www.checktls.com/perl/TestReceiver.pl

Hope this saves someone the agony of a lost day...as I endured.
 
Hi dave_cohen,

sorry but your "solution" is not a solution, but only a standard re-configuration to the old state, leaving your server open to the Poodle vulnerability.
You should rather try to investigate your error - logs, so see exactly, what causes your issues.


Please make sure that you update/upgrade as well your openssl - software to the most recent version ( depending on your operating system either with yum and/or apt-get ), because if you don't do that, you might experience missing ciphers, which may cause "TLS_connect_failed" - failures. Again, your error - log - files will point to the exact issue/problem/failure, so you would be able to investigate the initial cause of your issues.

You might be interested in reading the official documentation for the cipher - usage at: https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_ and you could try out some more detailed cipher - definitions in both configuration files at "tlsserverciphers" and "tlsclientciphers". A well known "intermediate" solution is:
Code: 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
and it is provided by Mozilla.org ( https://wiki.mozilla.org/Security/Server_Side_TLS ). The usage "ALL:" with the addition to remove SSLv2 and SSLv3 is sometimes not accurate enough, so you could consider to define explicit which ciphers you want to accept as showed above.
 
Thanks for clearing this up. I admit I'm far from expert on system admin - very far, in fact - but was elated that I was able to fix email so customers could reach our store. This took me hours of digging on the internet, as well as several hours on chat with GoDaddy support (3 of them, who were no help at all). This was my first foray into TLS and ciphers. This is what you get when someone buys a VPS and turns the Web developer (yours truly) into a system admin.

BTW, in working with the TLS checker site mentioned, I assumed the reference to SSLv3 meant that the sender needed that...even tho it was gmail, and I THINK it was actually google that initially alerted us to Poodle. Misled by an error message...who would have thought?
 
I'm having a problem with the extended cipher list, if I use that list it opens up ports 587 and 465 to connections via SSLv3. If i then go back to the list provided in http://kb.odin.com/en/123160 it will close the ports again but webmail will not load because it can't make any TLS connections.

Am I missing something here ?
 
You must log in or register to reply here.

Similar threads

Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
L
All inbound emails bouncing after applying POODLE fix
Replies
3
Views
2K
UFHH01
U
Back
Top