Advisory: Recommended steps for the Poodle vulnerability in SMTP Proxy on the Sophos UTM

This article provides the recommended steps for the Poodle vulnerability in SMTP Proxy on the Sophos UTM.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

Advisory: Recommended steps for the Poodle vulnerability in SMTP Proxy on the Sophos UTM

What is the vulnerability?

For details about this vulnerability, see https://nakedsecurity.sophos.com/2014/10/16/poodle-attack-takes-bytes-out-of-your-data-heres-what-to-do/

Recommended steps for SMTP Proxy

Disable SSLv3 for SMTP and turn TLSv1.2 back on:

For versions up to 9.209 and 9.300 until 9.303 of the UTM

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Change(or add if missing) the line openssl_options to: openssl_options = +no_sslv3

    at the end of the section #TLS

  • Note: Make sure that the values for tls_require_ciphers looks as follows before you save your changes:

    RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

For version 9.210 of the UTM

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Change the values for tls_require_ciphers looks as follows(remove the “:!SSLv3”):

    RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

  • Add the following line: openssl_options = +no_sslv3

    at the end of the section #TLS
  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

After I have considered the recommended steps my mailserver isn´t able to communicate with the Sophos UTM anymore – What should I do?

Some mailserver do not support TLS 1.2. In this case proceed as follows:

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Change the line openssl_options to: openssl_options = +no_sslv3 +no_tlsv1_2
  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

Some mailservers only support SSLv3. In this case you would need to reactive the support for SSLv3(vulnerable in this case) as follows:

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Remove the line openssl_options = +no_sslv3
  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

Related:

Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability

Dateline City:
DALLAS

With the revelation of another major flaw affecting SSL/TLS, this time
in Microsoft Windows Secure Channel (SChannel), Trend
Micro
 Incorporated (TYO: 4704; TSE: 4704), a global leader in
security software and solutions, is recommending Windows users
immediately patch their systems to avoid being compromised. Windows
SChannel is Microsoft’s delivery platform to securely transfer data, and
this potentially wormable vulnerability presents another threat to
ecommerce and other critical web-based apps.

Language:
English

Contact:

For further information:
Thomas Moore,
thomas_moore@trendmicro.com,
972-499-6648
or
PRESS CONTACTS
Scott Perry
Director of Marketing
+1 (613) 599-4505 x2274
scott_perry@trendmicro.com

read more

Related:

The Secure Sockets Layer and Transport Layer Security

With the explosive growth of computing devices connected with the Internet in
recent years, security of communications and computer systems became more important than
ever. We will learn about history of secure communications, the SSL/TLS protocols,
handshake, network layers and a tool that makes our lives easier for SSL/TLS connection
verification.

Related:

Use specific interface for outbound connections (Ubuntu 9.04)

I have two ethernet interfaces in my computer, which is running Ubuntu 9.04. Both interfaces sport static IPs, but use separate gateways. My /etc/network/interfaces file looks something like this:

auto eth0 eth1
iface eth0 inet static
  address 10.0.0.5
  netmask 255.255.255.0
  gateway 10.0.0.1

iface eth1 inet static
  address 192.168.2.5
  netmask 255.255.255.0
  gateway 192.168.2.1

I want to have all traffic going to the internet-at-large run through eth0, but it seems to want to go through eth1. Is there a way that I can channel my general outbound traffic through eth0 instead and only use eth1 for traffic to its subnet?

The answer should be persistent; that is to say, it should survive reboot without a superuser needing to run a command after restart.

EDIT: as requested, here is the output of my route -n command:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth1
0.0.0.0         192.168.2.1     0.0.0.0         UG    100    0        0 eth1
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0

Related:

SSL: it’s not just for commerce anymore

SSL (Secure Sockets Layer) was created to add certificate-authenticated encryption to HTTP transmissions. This article discusses what SSL is, how it co-exists with existing Domino and Notes security protocols, and how Domino implements SSL support.

Related: