Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

Security Update Required

Last post 07-08-2019, 17:47 by Rolf Lindby. 10 replies.
Sort Posts: Previous Next
  •  05-09-2019, 19:56

    Security Update Required

    Hi!

    I tried to post this the other day, but for some reason it looks like it didn't go through.  Scanmyserver.com (aka BeyondSecurity) has reported the following issues with Mercury 4.80.  I already have "weak ciphers disabled unless authenticated", but that hasn't been sufficient to help.  Is there a way to address these issues?

    Thanks!

     

    Sweet32 Birthday Attacks on 64-bit Block Ciphers in TLS and OpenVPN (DES-CBC3)
    SummaryThis test detects SSL ciphers DES-CBC3 supported by the remote service for encrypting communications.

    Weak Cipher DES-CBC3 found: (Cipher: DES-CBC3-SHA|SSLv3|Kx=RSA|Au=RSA|Enc=3DES(168)|Mac=SHA1) (Cipher: DES-CBC3-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=3DES(168)|Mac=SHA1)
    Portimaps (993/tcp)SolutionSee solution found at: https://www.openssl.org/blog/blog/2016/08/24/sweet32/External sourceshttps://sweet32.info/CVECVE-2016-2183Test ID19146
    SSL Medium Strength Cipher Suites Supported
    SummaryThe remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

    Here is the only medium strength SSL cipher supported by the remote server:
    * Medium Strength Ciphers (>= 56-bit and < 112-bit key)
    * SSLv3 - DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 
    * TLSv1 - DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 
    The fields above are:
    * {OpenSSL ciphername}
    * Kx={key exchange}
    * Au={authentication}
    * Enc={symmetric encryption method}
    * Mac={message authentication code}
    * {export flag}
    Portimaps (993/tcp)SolutionReconfigure the affected application if possible to avoid use of medium strength ciphers.External sourceshttp://support.microsoft.com/kb/245030Test ID12076
    Deprecated SSL Protocol Usage
    SummaryThe remote service accepts connections encrypted using SSLv2 and/or SSLv3, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

    SSLv3
    Portimaps (993/tcp)SolutionConsult the application's documentation to disable SSL 2.0 and SSL 3.0, and use TLS 1.0 or newer.External sourceshttp://www.schneier.com/paper-ssl.pdfTest ID9329
  •  05-13-2019, 19:36

    • Sellerie is not online. Last active: 2019/08/07, 21:50 Sellerie
    • Top 75 Contributor
    • Joined on 04-10-2014
    • Member
    • Points 1,145

    Re: Security Update Required

    I suggest to use stunnel for the entire encrypted communication from and to mercury. Then you get more config options and it is easier to harden. Maybe this will changed anytime in the future, hopefully. The last mercury-update was released in september 2015...
  •  05-15-2019, 4:10

    Re: Security Update Required

    Thanks!  That's a good idea. 

  •  05-26-2019, 21:03

    Re: Security Update Required

    One very unfortunate part is that when using stunnel it looks like all of the connections come from 127.0.0.1, so any special processing of the logs to ban abusive ip's, etc, no longer works.  I hope they update Mercury soon.
  •  05-27-2019, 2:36

    • Rolf Lindby is online. Last active: 2019-09-19, 2:32 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 26,350
    • BetaTeam Moderator SystemAdministrator

    Re: Security Update Required

    If you would be interested in running the current beta I can send you a download link.

     

  •  06-19-2019, 18:17

    Re: Security Update Required

    Absolutely!
  •  06-21-2019, 18:10

    • Rolf Lindby is online. Last active: 2019-09-19, 2:32 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 26,350
    • BetaTeam Moderator SystemAdministrator

    Re: Security Update Required

    On its way! 

  •  06-30-2019, 21:49

    Re: Security Update Required

    Thanks!  So far, so good.  I'm interested in trying out the "SSL and access control" for MercuryE with the "Use SSL whenever it is available" option enabled, but it says to reference the help file before enabling which doesn't appear to be updated.  Is there any info on this feature yet, or is there anything specific in this beta that you would like me to test or look out for?  I'll do what I can to help.
  •  07-02-2019, 4:04

    • Rolf Lindby is online. Last active: 2019-09-19, 2:32 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 26,350
    • BetaTeam Moderator SystemAdministrator

    Re: Security Update Required

    There should be a link to the SSL and Access control help page on the MercuryE page. The text there reads:

    -  -  - 

    Use SSL whenever it is available

    Selecting this control tells MercuryE that it can use secure connections whenever the servers to which it connects advertise that they will accept them. The caveats that apply to accepting incoming SSL connections in the MercuryS SMTP server do not usually apply in reverse to MercuryE, and it is normally quite safe to select this option in MercuryE provided you do not mind the slight performance penalty it will introduce. 

    -  -  -

    If you notice any problems or unexpected behavior please report here or directly to me, all input is much appreciated!

     

     

  •  07-08-2019, 13:55

    Re: Security Update Required

    Hello Rolf, I would be interested in running the current Beta if possible. Thank you. Stephen
  •  07-08-2019, 17:47

    • Rolf Lindby is online. Last active: 2019-09-19, 2:32 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 26,350
    • BetaTeam Moderator SystemAdministrator

    Re: Security Update Required

    Stephen: A download link is on its way to you!

     

View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page