Postfix vulnerability on port 25

Improvements
1

Hi ,

I have a setup with the latest version of mailinabox (v0.24 / October 3, 2017). Today i run a scan with nessus on my system and found the following vulnerabilities on port 25 (Postfix) :

  1. SSL 64-bit Block Size Cipher Suites Supported (SWEET32) :
    List of 64-bit block cipher suites supported by the remote server :

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

EDH-RSA-DES-CBC3-SHA         Kx=DH          Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1   
ECDHE-RSA-DES-CBC3-SHA       Kx=ECDH        Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1   
DES-CBC3-SHA                 Kx=RSA         Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1
  1. SSL Medium Strength Cipher Suites Supported

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

EDH-RSA-DES-CBC3-SHA         Kx=DH          Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1   
ECDHE-RSA-DES-CBC3-SHA       Kx=ECDH        Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1   
DES-CBC3-SHA                 Kx=RSA         Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1

The following ciphers are still used for compatibility reasons or why ?

2

It’s worse than you think. Emails can be received in the clear without any encryption at all!

This is just how SMTP works - it’s an insecure protocol, like HTTP. You can’t require encryption or you might stop receiving mail from old or misconfiugred mail servers.

1 Like
3

I don’t think it’s that bad. As I understand it, connections attempt to use the most secure cypher, then downgrade until they reach a cypher both ends of the connection can use, or even unencrypted if it gets to that point.

Correct?

1 Like
4

That is for most smtp servers. There are servers still out there that do not even support TLS/SSL still unfortunately.

5

This topic was automatically closed after 61 days. New replies are no longer allowed.