Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

Security Update Required

Last post 05-15-2019, 4:10 by Tim W Young. 2 replies.
Sort Posts: Previous Next
  •  05-09-2019, 19:56

    Security Update Required


    I tried to post this the other day, but for some reason it looks like it didn't go through. (aka BeyondSecurity) has reported the following issues with Mercury 4.80.  I already have "weak ciphers disabled unless authenticated", but that hasn't been sufficient to help.  Is there a way to address these issues?



    Sweet32 Birthday Attacks on 64-bit Block Ciphers in TLS and OpenVPN (DES-CBC3)
    SummaryThis test detects SSL ciphers DES-CBC3 supported by the remote service for encrypting communications.

    Weak Cipher DES-CBC3 found: (Cipher: DES-CBC3-SHA|SSLv3|Kx=RSA|Au=RSA|Enc=3DES(168)|Mac=SHA1) (Cipher: DES-CBC3-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=3DES(168)|Mac=SHA1)
    Portimaps (993/tcp)SolutionSee solution found at: sources ID19146
    SSL Medium Strength Cipher Suites Supported
    SummaryThe remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

    Here is the only medium strength SSL cipher supported by the remote server:
    * Medium Strength Ciphers (>= 56-bit and < 112-bit key)
    * SSLv3 - DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 
    * TLSv1 - DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 
    The fields above are:
    * {OpenSSL ciphername}
    * Kx={key exchange}
    * Au={authentication}
    * Enc={symmetric encryption method}
    * Mac={message authentication code}
    * {export flag}
    Portimaps (993/tcp)SolutionReconfigure the affected application if possible to avoid use of medium strength ciphers.External sources ID12076
    Deprecated SSL Protocol Usage
    SummaryThe remote service accepts connections encrypted using SSLv2 and/or SSLv3, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

    Portimaps (993/tcp)SolutionConsult the application's documentation to disable SSL 2.0 and SSL 3.0, and use TLS 1.0 or newer.External sources ID9329
  •  05-13-2019, 19:36

    • Sellerie is not online. Last active: 2019/05/13, 19:49 Sellerie
    • Top 75 Contributor
    • Joined on 04-10-2014
    • Member
    • Points 1,060

    Re: Security Update Required

    I suggest to use stunnel for the entire encrypted communication from and to mercury. Then you get more config options and it is easier to harden. Maybe this will changed anytime in the future, hopefully. The last mercury-update was released in september 2015...
  •  05-15-2019, 4:10

    Re: Security Update Required

    Thanks!  That's a good idea. 

View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page