6

I would like to mitigate POODLE vuln. in my courier-imap server. I know how to do it. I'm really concerned on how it will affect MUA's, especially the older ones. There are still users using Outlook Express 6 in Windows XP. Is there any analysis on which MUA is going to stop working with SSLv3 switched off from server side? Or maybe it's completely safe action?

Scyld de Fraud
  • 83
  • 9
  • I don't think you'll find a list of software that breaks ask it would include a lot of software nobody uses anymore. I wouldn't be surprised if OE6 breaks, as most XP era software doesn't support TLS. In the case of OE6 I would highly recommend them upgrading to a newer MUA like Thunderbird or even Webmail of some sort. At some point you do need to stop supporting ancient software because of the vulnerabilities it creates. Communicating this fact to your clients is critical to them understanding their responsibilities. – Chris S Oct 22 '14 at 17:15
  • I totally agree with you, but I it would be nice to see a table with what MUA is I would say safe and for which I need to prepare a support for it's users. There are many who can't handle their responsibilities. If I would make a statement that some users need to make some action I need to be prepared for support and be precise on what their need to do… I find lots of pages saying what to do with servers but I can't find the same for clients/agents. – Scyld de Fraud Oct 22 '14 at 21:08
  • 2
    You cannot mitigate Poodle on your IMAP server because Poodle does not apply to IMAP. [Poodle/CVE-2014-3566](http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html) only applies to HTTPS, not other services. While SSLv3 has other flaws, those other flaws (including yet-to-be-discovered flaws), these other flaws are not the same thing as 'Poodle'. – Stefan Lasiewski Oct 25 '14 at 20:29

2 Answers2

1

Having tried this last week, my experience was it breaks a lot of clients. It's true that modern Outlook supports TLS, but it thinks this means start in plaintext then escalate to encryption. The idea that TLS can be used as an ab initio cyphersuite seems to have escaped it; whenever I selected TLS, it insisted that it wanted to use IMAP port 143, not IMAP/S port 993. Though I confess to being no Windows admin, I was unable to persuade it otherwise, and since I have no desire whatsoever to expose port 143, that rather stymied me.

K-9 mail (v5.001) on Android phones broke as well. ALPINE (2.11) under Linux was fine, of course. I can't speak for Thunderbird on any platform, because by the time my users (including my wife) had finished bending my ears, I was persuaded to switch back.

Most of the analysis I've seen suggests that there are no known IMAP/POP-based SSLv3 exploits at this time. My new plan is to set up a second dovecot on port 994, doing only TLS, and gently chivvy my users into finding clients that work for them. If I see any reports of mail-based exploits in the wild, that "gently" might get a bit more forceful.

Edit to address mc0e's comment below:

Yours is a common misconception, and indeed one I suffered from for many years. However, the belief that TLS can only be used for encryption via escalation-from-plaintext is as wrong as it is common.

Consider: POODLE mitigation relies on disabling SSLv3 for HTTPS servers; mitigated servers can only speak TLS. Unless you think that HTTPS has just got itself a plaintext-first phase which was not there before POODLE, and that all the world's web browsers have suddenly changed behaviour when they connect to TCP port 443 (it hasn't, and they haven't; fire up wireshark and see), then TLS is being used for sessions which are encrypted from the start. TLS certainly supports uprating from plaintext, but it can also be used for ab initio encryption - despite what various client software packages think.

Edit 2: mc0e, I agree that STARTTLS is definitely restricted to initially-plaintext services. However, that's not what's under discussion, and it's not the terminology that many clients use. For them, as for many, STARTTLS and TLS are the same thing; my point is that they are not; the latter is a pure superset of the former.

People who think that the switch of encrypted non-web services away from SSLv3 will be easy "because the client supports TLS" may run into problems because what the client really means is that it supports "STARTTLS for encryption uprating", rather than "TLS as a cryptosuite for both ab initio encrypted connections and uprating from plaintext".

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • TLS is supposed to be on the usual IMAP port (143). There's an initial negotiation in plaintext where the client tells the server that it wants to proceed with SSL encryption. If you want to use SSL from the start, that's when you use a different port (normally 993). Using TLS on port 993 does not ever make sense. – mc0e Oct 28 '14 at 11:28
  • @mc0e is correct: there's usually a distinction in mail clients between `SSL` (where you directly initiate the connection encrypted) and `TLS` (where you start in plaintext and send `STARTSSL` to begin the SSL session). – gparent Oct 28 '14 at 17:26
  • @gparent: I got it wrong though in that I should have been referring to "STARTTLS", not "TLS" (and not the "STARTSSL" you refer to). Presumably Outlook should also be referring to STARTTLS, which might have saved some confusion. – mc0e Oct 28 '14 at 17:44
  • Yeah, some clients get the terminology wrong and I don't want to imply that what I was commenting above had anything to do with SSLv3 vs TLSv1.0+. – gparent Oct 28 '14 at 18:39
  • I submit that both you guys have downvoted this on the misunderstanding that `TLS` and `STARTTLS` are the same thing. They're not, and if you accept that, you may wish to reconsider your positions. – MadHatter Oct 28 '14 at 19:56
  • @MadHatter So is what you are proposing to set up IMAPS port 994, with all of SSLv[x] disabled? Given that there *is* a confusion in the terminology, I think you need to clarify that point in your answer, and if you do so I'd be happy to remove my downvote. In general we're collecting a lot of discussion here, which should probably be tidied up and integrated into an answer which reads right from the outset, even if someone does not initially realise the terminlogy issues that exist in the mail clients. – mc0e Nov 01 '14 at 03:29
  • For the record, Thunderbird (at least as of linux version 24.6.0) expresses the encryption options as being between "None", "STARTTLS" and "SSL/TLS". – mc0e Nov 01 '14 at 04:14
  • mc0e: yes, that is precisely what I intend to set up. I would be *really* happy to clarify my answer, but **I don't understand the confusion**. It seems to me that some people (and some software) confuses `TLS` and `STARTTLS`; is that the confusion to which you refer? If not, can you summarise it in a sentence, so that I can try to address it? And thank you for the report on Thunderbird; I am happy, if not surprised, to hear that they got it right. It is definitely useful data. – MadHatter Nov 01 '14 at 06:16
0

Outlook Express supports TLS along with SSL. So removing SSlv3 would effect those people who have it setup to use SSL. A switch to using TLS should do the trick.

SSLv3 is so old same with TLS that most mail client support TLS so I wouldn't really worry about it. POODLE also effects XPsp2 and below so if you can just tell people to upgrade to sp3 and ie will work again.

Mike
  • 21,910
  • 7
  • 55
  • 79