I'm a linux admin using fetchmail on a local server to get emails via the pop3proxy of my sophos UTM 9.
We all know there is the infamous poodle-bug and sslv3 should not be used anymore.
Sophos has released a "bugfix" for this to make pop3proxy not using sslv3 anymore. But here is the catch. pop3proxy most likely uses openssl for connecting and though we don't want to use sslv3 anymore, TLS 1 and TLS 1.1 are still welcome and save to use. These, TLS 1 and TLS 1.1, rely on the same cipher_suits as sslv3.
So we have a problem. If you disable sslv3 as a cipher_suit, you cannot use TLS 1 or TLS 1.1 anymore. You could say, well you can still use TLS 1.2, because it doesn't rely on the sslv3 cipher_suit. But I'd answer, I do use fetchmail and you cannot force fetchmail to use TLS 1.2. [:(]
So since the last update I cannot use fetchmail anymore, because the solution proposed for the poodle-bug by Sophos was to turn off the sslv3 cipher_suit. And I don't like that at all. [:@]
Take a look in /var/storage/chroot-pop3/etc/pop3proxy.conf-default
before the patch/update
tls_ciphers_server=RC4:HIGH:!MD5:!aNULL:!EDH
after the patch/update
tls_ciphers_server=RC4:HIGH:!MD5:!aNULL:!EDH:!SSLv3
So here is my question. How can you configure pop3proxy so that sslv3 cipher suit is still usable but sslv3 protocol is not?
I saw this way of configuration on a lot of mail-services like dovecot and so on. So how can this be done with pop3proxy?
This thread was automatically locked due to age.
