The Sophos UTM update 9.210 solves the problem with SSLv3 and the poodle bug. The update deactivates SSLv3 ………. and TLS 1.0, 1.1 and 1.2…
you can find this entries in your smtp.log:
2014:12:10-14:30:59 astaro exim-in[1270]: 2014-12-10 14:30:59 TLS error on connection from mail-yk0-f179.google.com [209.85.160.179]:55470 (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
\ ( -_-) / “yeah…”
you can check this with cat /var/log/smtp.log | grep SSL3
I will show you how to solve this manually. Login via SSH (User “loginuser”) to the shell and change to root with “su –“. After you are logged in, edit the exim.conf file:
vi /var/chroot-smtp/etc/exim.conf
now press i for Insert-Mode and go to the position where you will find this (use page down for browsing faster):
# Misc static settings . . . tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2:!SSLv3
replace the line with this:
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
no go to this part:
# TLS
tls_certificate = ${if eq{TLS_NAME}{} {}{INCLUDE/TLS_NAME.cert}}
tls_privatekey = ${if eq{TLS_NAME}{} {}{INCLUDE/TLS_NAME.key}}
tls_advertise_hosts = ${if eq{TLS_NAME}{} {}{!+tls_avoid}}
add a new line and copy this to it:
openssl_options = +no_sslv3
now press ESC to leave the Insert-Mode and type in “:wq” and press ENTER to write the file and quit the vi-editor.
To make your new changes effect, just restart the smtp-daemon:
/var/mdw/scripts/smtp restart
There is also a bug (ID 33990) that you can’t view live logs or saved logs. Sophos is working hard on a new patch for 9.210, I will look forward for this!
UPDATE:
You can now directly update to 9.304, just upload this file to your UTM: u2d-sys-9.210020-304009.tgz.gpg
7 Responses
I have the latest version, see bellow, and still had this problem. Your fix helped though. BIG THANKS!
Current firmware version: 9.210-20
Your firmware is up to date.
Thanks it worked for me
Nice report, Thx
I am novice to linux and as such a bit hessitent to follow you steps above, is there any way to revert back to 9.209-8 instead of reinstaling. This email issue is really hurting us. I have downloaded latest version image also, but installing will erase my month old log record which I am trying to avoid.
Any idea in 9.304 the issue is resolved or not? Are there any critical known issues with 9.304
“You can now directly update to 9.304, just upload this file to your UTM: u2d-sys-9.210020-304009.tgz.gpg”
Could you please explain what will above do, as I uploaded the above using managment/advance/upload and applied. could not see any change.???
Hi!
No you can’t do a downgrade. Just download “putty” at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html and connect via SSH to your gateway (keep in mind to set a password under System Settings -> Shell Access). After you are logged in as “loginuser” change to root with “su -” after this use the information from this blog entry. Tell me if it works for you.
Much appreciated! Thanks very much, great post easy to read and follow.
Best regards,