Fixes CVE-2014-3566 (Poodle Bug) #327

11 years ago · d98fa45385
3 changed files with 10 additions and 1 deletions
--- a/src/modules/stack/install/ee_mod_setup_nginx.sh
+++ b/src/modules/stack/install/ee_mod_setup_nginx.sh
@ -21,7 +21,7 @@ function ee_mod_setup_nginx()
 		# Disable nginx version
 		# Set custom header
 		# SSL Settings
-		sed -i "s/http {/http {\n\t##\n\t# EasyEngine Settings\n\t##\n\n\tserver_tokens off;\n\treset_timedout_connection on;\n\tadd_header X-Powered-By \"EasyEngine $EE_VERSION\";\n\tadd_header rt-Fastcgi-Cache \$upstream_cache_status;\n\n\t# Limit Request\n\tlimit_req_status 403;\n\tlimit_req_zone \$binary_remote_addr zone=one:10m rate=1r\/s;\n\n\t# Proxy Settings\n\t# set_real_ip_from\tproxy-server-ip;\n\t# real_ip_header\tX-Forwarded-For;\n\n\tfastcgi_read_timeout 300;\n\tclient_max_body_size 100m;\n\n\t# SSL Settings\n\tssl_session_cache shared:SSL:20m;\n\tssl_session_timeout 10m;\n\tssl_prefer_server_ciphers on;\n\tssl_ciphers HIGH:\!aNULL:\!MD5:\!kEDH;\n\n/" /etc/nginx/nginx.conf
+		sed -i "s/http {/http {\n\t##\n\t# EasyEngine Settings\n\t##\n\n\tserver_tokens off;\n\treset_timedout_connection on;\n\tadd_header X-Powered-By \"EasyEngine $EE_VERSION\";\n\tadd_header rt-Fastcgi-Cache \$upstream_cache_status;\n\n\t# Limit Request\n\tlimit_req_status 403;\n\tlimit_req_zone \$binary_remote_addr zone=one:10m rate=1r\/s;\n\n\t# Proxy Settings\n\t# set_real_ip_from\tproxy-server-ip;\n\t# real_ip_header\tX-Forwarded-For;\n\n\tfastcgi_read_timeout 300;\n\tclient_max_body_size 100m;\n\n\t# SSL Settings\n\tssl_session_cache shared:SSL:20m;\n\tssl_session_timeout 10m;\n\tssl_prefer_server_ciphers on;\n\tssl_ciphers HIGH:\!aNULL:\!MD5:\!kEDH;\n\t# Fix POODLE attack\n\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\n/" /etc/nginx/nginx.conf

 		# Adjust nginx keepalive_timeout
 		sed -i "s/keepalive_timeout.*/keepalive_timeout 30;/" /etc/nginx/nginx.conf
--- a/src/modules/stack/install/mail/ee_mod_setup_dovecot.sh
+++ b/src/modules/stack/install/mail/ee_mod_setup_dovecot.sh
@ -30,6 +30,9 @@ function ee_mod_setup_dovecot()
 	sed -i "s/#\!include auth-sql.conf.ext/\!include auth-sql.conf.ext/" /etc/dovecot/conf.d/10-auth.conf \
 	|| ee_lib_error "Unable to setup 10-auth.conf file, exit status = " $?

+	# Configuring 10-ssl.conf, Disable SSLv2 and SSLv3, Fixes POODLE Bug
+	sed -i "s/#ssl_protocols =.*/ssl_protocols = \!SSLv2 \!SSLv3/" /etc/dovecot/conf.d/10-ssl.conf
+
 	# Configuring dovecot-sql.conf.ext
 	cp -v /usr/share/easyengine/mail/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext &>> $EE_COMMAND_LOG \
 	|| ee_lib_error "Unable to copy dovecot-sql.conf.ext, exit status = " $?
--- a/src/modules/stack/install/mail/ee_mod_setup_postfix.sh
+++ b/src/modules/stack/install/mail/ee_mod_setup_postfix.sh
@ -33,6 +33,12 @@ function ee_mod_setup_postfix()

 	postconf -e "smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"

+	# Disable SSL for POODLE
+	postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3"
+	postconf -e "smtp_tls_mandatory_protocols=!SSLv2,!SSLv3"
+	postconf -e "smtpd_tls_protocols=!SSLv2,!SSLv3"
+	postconf -e "smtp_tls_protocols=!SSLv2,!SSLv3"
+
 	# other destination domains should be handled using virtual domains 
 	postconf -e "mydestination = localhost"