Ralf Zimmermann SIEGNETZ.IT GmbH

Aktuelles

Pigeonhole for Dovecot v2.2.19.rc1 Release v0.4.9

Zurück zum Seitenanfang | Publiziert am

hat Pigeonwhole v0.4.9 für Dovevot v2.2.19.rc1 veröffentlicht.

Hello Dovecot users, Here's the Pigeonhole RC that goes with the Dovecot RC. Changelog v0.4.9.rc1: * Properly implemented checking of ABI version for Sieve interpreter plugins, much like Dovecot itself does for plugins. This will prevent plugin ABI mismatches. + Implemented a vnd.dovecot.environment extension. This builds upon the standard environment extension and adds a few more environment items, such as username and default mailbox. It also creates a variables namespace so that environment items can be accessed directly. I am still thinking about more environment items that can be added. + Sieve extprograms plugin: Made line endings of the input passed to the external programs configurable. This can be configured separately for each of the three extensions. + ManageSieve: Implemented proxy XCLIENT support. This allows the proxy to pass client information to the back-end. - ManageSieve: Fixed an assert failure occurring when a client disconnects during the GETSCRIPT command. - doveadm sieve plugin: Fixed incorrect initialization of mail user. This caused a few memory leaks. - sieve-filter command line tool: Fixed handling of failure-related implicit keep when there is an explicit default destination folder. This caused message duplication. - lib-sieve: Fixed bug in RFC5322 header folding. Words longer than the optimal line length caused empty lines in the output, which would break the resulting message header. This surfaced in References: headers with very long message IDs. The release is available as follows: Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for more information. Have fun testing this new release and don't hesitate to notify me when there are any problems.

Postfix stable release 3.0.2 and legacy releases 2.11.6, 2.10.8, and 2.9.14

Zurück zum Seitenanfang | Publiziert am

Wietse Venema hat am 22.07.2015 die Postfix Version 3.0.2 veröffentlicht.

Postfix stable release 3.0.2 is available, as well as legacy releases 2.11.6, 2.10.8, and 2.9.14. With all supported Postfix releases, the default settings have been updated so that they no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols have little if any legitimate use today, and have instead become a vehicle for downgrade attacks. There are no other code changes. Postfix documentation has been updated to reflect the new default settings and their rationale; the RELEASE_NOTES give suggestions for how to enable the old ciphers and protocols if your infrastructure requires them. Finally, abandoning deprecated ciphers and protocols does not really improve TLS security without measures to better authenticate remote servers. Secure DNS and TLSA are steps in that direction. You can find the updated Postfix source code at the mirrors listed at . Wietse

Pigeonhole for Dovecot v2.2 Release v0.4.8

Zurück zum Seitenanfang | Publiziert am

hat Pigeonwhole v0.4.8 für Dovevot v2.2 veröffentlicht.

Hello Dovecot users, Here is the final 0.4.8 release. No significant changes were committed since the last release candidate. Changelog v0.4.8: * LDA Sieve plugin: Dovecot changed the deliver_log_format setting to include %{delivery_time}. This prompted changes in Pigeonhole that make this release dependent on Dovecot v2.2.17. + Implemented magic to make sieve_default script visible from ManageSieve under a configurable name. This way, users can see the default rules, edit them and store a private adjusted version. This could also be achieved by copying the default script into the user's script storage, but updates to the global sieve_default script would be ignored that way. + ManageSieve: Implemented support for reporting command statistics at disconnect. Statistics include the number of bytes and scripts uploaded/downloaded/checked and the number of scripts deleted/renamed. - Fixed problem in address test: erroneously decoded mime-encoded words in address headers. - extprograms plugin: Fixed failure occurring when connecting to script service without the need to read back the output from the external program. - Fixed bug in script storage path normalization occurring with relative symbolic links below root. - Fixed and updated various parts of the documentation - ManageSieve: Used "managesieve" rather than "sieve" as login service name, which means that all managesieve-specific settings where ignored. - Managesieve: Storage quota was not always enforced properly for scripts uploaded as quoted string. Nobody uses that, but it is allowed in the specification and we support it, so it should work properly. The release is available as follows: Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for more information. Have fun testing this new release and don't hesitate to notify me when there are any problems.

Dovecot Release v2.2.18

Zurück zum Seitenanfang | Publiziert am

hat Dovecot v2.2.18 veröffentlicht.

Oops, director was somewhat broken in 2.2.17. I thought I tested the last changes in it well enough, but looks like not. To avoid all existing Dovecot director installations from breaking I decided to make 2.2.18 release quickly afterwards.. BTW. We're planning on making some changes soon to how version control is used in Dovecot development, which should help avoid these kind of problems. The main problem now is that everything gets directly committed to the master branch (although we have a separate more stable dovecot-ee repo also). The new plan is to do something like this: Besides some minor compiling issues and other small changes, the important ones are: - director: Login UNIX sockets were normally detected as doveadm or director ring sockets, causing it to break in existing installations. - sdbox: When copying a mail in alt storage, place the destination to alt storage as well.

Dovecot Release v2.2.16

Zurück zum Seitenanfang | Publiziert am

hat Dovecot v2.2.16 veröffentlicht.

A few fixes and some imapc improvements since the release candidate. * dbox: Resyncing (e.g. doveadm force-resync) no longer deletes dovecot.index.cache file. The cache file was rarely the problem so this just caused unnecessary slowness. * Mailbox name limits changed during mailbox creation: Each part of a hierarchical name (e.g. "x" or "y" in "x/y") can now be up to 255 chars long (instead of 200). This also reduces the max number of hierarchical levels to 16 (instead of 20) to keep the maximum name length 4096 (a common PATH_MAX limit). The 255 char limit is hopefully large enough for migrations from all existing systems. It's also the limit on many filesystems. + director: Added director_consistent_hashing setting to enable consistent hashing (instead of the mostly-random MD5 hashing). This causes fewer user moves between backends when backend counts are changed, which may improve performance (mainly due to caching). + director: Added support for "tags", which allows one director ring to serve multiple backend clusters with different sets of users. + LMTP server: Added lmtp_user_concurrency_limit setting to limit how many LMTP deliveries can be done concurrently for a single user. + LMTP server: Added support for STARTTLS command. + If logging data is generated faster than it can be written, log a warning about it and show information about it in log process's process title in ps output. Also don't allow a single service to flood too long at the cost of delaying other services' logging. + stats: Added support for getting global statistics. + stats: Use the same session IDs as the rest of Dovecot. + stats: Plugins can now create their own statistics fields + doveadm server: Non-mail related commands can now also be used via doveadm server (TCP socket). + doveadm proxying: passdb lookup can now override doveadm_port and change the username. + doveadm: Search query supports now "oldestonly" parameter to stop immediately on the first non-match. This can be used to optimize: doveadm expunge mailbox Trash savedbefore 30d oldestonly + doveadm: Added "save" command to directly save mails to specified mailbox (bypassing Sieve). + doveadm fetch: Added body.snippet field, which returns the first 100 chars of a message without whitespace or HTML tags. The result is stored into dovecot.index.cache, so it can be fetched efficiently. + dsync: Added -t <timestamp> parameter to sync only mails newer than the given received-timestamp. + dsync: Added -F [-]<flag> parameter to sync only mails with[out] the given flag/keyword. + dsync: Added -a <mailbox> parameter to specify the virtual mailbox containing user's all mails. If this mailbox is already found to contain the wanted mail (by its GUID), the message is copied from there instead of being re-saved. (This isn't efficient enough yet for incremental replication.) + dsync: -m parameter can now specify \Special-use names for mailboxes. + imapc: Added imapc_features=gmail-migration to help migrations from GMail. See http://wiki2.dovecot.org/Migration/Gmail + imapc: Added imapc_features=search to support IMAP SEARCH command. (Currently requires ESEARCH support from remote server.) + expire plugin: Added expire_cache=yes setting to cache most of the database lookups in dovecot index files. + quota: If overquota-flag in userdb doesn't match the current quota usage, execute a configured script. + redis dict: Added support for expiring keys (:expire_secs=n) and specifying the database number (:db=n) - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages. - String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all. - fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.

Postfix und Dovecot gegen SSL FREAK Attack absichern

Zurück zum Seitenanfang | Publiziert am

Postfix gegen FREAK Attacke absichern


smtpd_tls_exclude_ciphers = EXPORT, LOW

Dovecot gegen FREAK Attacke absichern


ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!EXPORT

Bind 9.9.7 & 9.10.2 veröffentlicht

Zurück zum Seitenanfang | Publiziert am

Die Bind Versionen 9.9.7 und 9.10.2 wurden veröffentlicht.

Bind 9.9.7

Introduction This document summarizes changes since the last production release of BIND on the corresponding major release branch. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] New Features * None ...

Bind 9.10.2

Release Notes for BIND Version 9.10.2 Introduction This document summarizes changes since the last production release of BIND on the corresponding major release branch. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] * Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients. New Features * None ...

Postfix 3.0.0 veröffentlicht

Zurück zum Seitenanfang | Publiziert am

Die neue Postfix 3.0.0 Version bringt einige interessante neue Features mit sich. Wer header und body checks verwendet, wird über die neuen Möglichkeiten der multiple lookups erfreut sein. Auch im Bereich IPv6 und DNS wurden Möglichkeiten zur Fehlerbehehebung beim Handling und der Zustellung integriert. Das betrifft vor allem Server die AAAA Records bei der Namensauflösung zurückerhalten und aber selber nur eine IPv4 Adresse besitzen. Auch das Logging bietet neue Möglichkeiten die einem bei der Absicherung oder der Fehlersuche von Systemen behilflich sein können.

Postfix stable release 3.0.0 is available. This release ends support for Postfix 2.8. The main changes in no particular order are: SMTPUTF8 support for internationalized domain names and address localparts as defined in RFC 6530 and related documents. The implementation is based on code contributed by Arnt Gulbrandsen and sponsored by CNNIC. SMTPUTF8 support is a work in progress; it is expected to be completed during the Postfix 3.1 development cycle. See SMTPUTF8_README for a summary of limitations. Support for Postfix dynamically-linked libraries and database plugins. The implementation is based on code by LaMont Jones for Debian Linux. See INSTALL for detailed descriptions of the available options. An OPT-IN safety net for the selective adoption of new Postfix default settings. If you do nothing, the old Postfix default settings *should* remain in effect (complain to your downstream maintainer if that is not the case). See COMPATIBILITY_README for detailed descriptions of Postfix logfile messages. Support for operations on multiple lookup tables. The pipemap:{map1,map2...} database type implements a pipeline of lookup tables where the result from one lookup table becomes a query for the next table; the unionmap:{map1,map2,...} database type sends the same query to multiple lookup tables and concatenates their results. Support for pseudo-tables that make simple things easy to implement. The inline:{key1=value1,key2=value2,...} table avoids the need to create an external file for just a few items; and the randmap{value1,value2,...} table implements random selection from the specified values. Table-driven transformation of DNS lookup results and of delivery agent status codes and messages. Typically, one would use a PCRE table to fix problematic DNS responses or to fix the handling of delivery errors. See smtp_dns_reply_filter, smtp_delivery_status_filter, and similarly-named parameters for other Postfix daemons. Improved configuration file syntax with support for the ternary operator such as \${name?{iftrue}:{iffalse}}, comparison operators such as \${{expr1}==\${expr2}?{iftrue}:{iffalse}}, per-Milter and per-policy server timeout and other settings, master.cf parameters that contain whitespace, import/export_environment settings that contain whitespace, and "static" table lookup results that contain whitespace. Support for multiple lookup results in access(5) and header/body_checks(5) tables is expected to be completed in the Postfix 3.1 development cycle. Per-session command profiles, logged at the end of each inbound SMTP session. For example, a password-guessing bot is logged as "disconnect from name[addr] ehlo=1 auth=0/1 commands=1/2", meaning that the client sent one EHLO command that worked, one AUTH command that failed, and hung up without sending a QUIT command. This information is always logged, and can help to solve puzzles without verbose logging or network sniffers.

[Quelle: http://www.postfix.org/announcements/postfix-3.0.0.html]

IPv6 in IPv4-Only-Netzwerken

Zurück zum Seitenanfang | Publiziert am

Mittlerweile unterstützen sehr viele Systeme IPv6 nativ. Durch Mechanismen wie Autokonfiguration und automatische Tunnel können so IPv6 fähige Systeme Verbindungen über IPv4 Netze herstellen. Ein Dual-Homed Rechner kann so z.B. aus dem Internet erreichbar sein und einem Angreifer Zugang zum internen Netz ermöglichen.

Sicherheitslücken

Durch mangelnde IPv6 Unterstützung oder fehlende Konfiguration können sicherheitsrelevante Lücken im Netzwerk enstehen. Dazu können z.B. folgende Szenarien gehören.

  • Netzwerkbasierende Intrusion Detection Systeme (NIDS) die IPv6 Angriffe nicht erkennen
  • IPv4 Firewalls
  • Tunnel und NAT Verbindungen die z.B. Teredo Tunnelverbindungen erlauben
  • VPN Lösungen die IPv6 nicht unterstützen

Sicherheitsmassnahmen

Es gibt einige Massnahmen um die unkontrollierte Kommunikation von internen Systemen mit dem Internet zu unterbinden. Die eigentliche Schwierigkeit besteht aber darin das Problem zu erkennen bzw. zu lokalisieren.

  • IPv6 deaktivieren
  • IPv6 Firewall Filter Regeln
  • IPv6 auf Switchen abschalten
  • Protocol 41 in IPv4 Firewall blocken. Wird von 6to4 und ISATAP verwendet.
  • Das Präfix 2002::/16 auf IPv6 Firewall blocken. Wird von 6to4 Tunneln verwendet.
  • Die IPv4-Anycast Adresse 192.88.99.1 blocken. Wird von 6to4-Relays verwendet.
  • UDP Port 3544. Wird von Teredo Servern verwendet.
  • DNS Anfragen nach teredo.ipv6.microsoft.com überprüfen.
  • DNS Anfragen nach isatap.<localdomain> überprüfen.
  • IPv6 AAAA Records in IPv4-Only Netzwerken herausfiltern
  • UDP/TCP Port 3653 blocken. Wird vom Tunnel Setup Protocol (TSP) verwendet.
  • UDP/TCP Port 5072 blocken. Wird von der Tunneltechnologie AYIYA verwendet.

BSI veröffentlicht "Die Lage der IT-Sicherheit in Deutschland 2014"

Zurück zum Seitenanfang | Publiziert am

Das Bundesministerium für Informationstechnologie hat den Bericht veröffentlicht.

Der Bericht beschreibt und analysiert die aktuelle IT-Landschaft, die Ursachen von Cyber-Angriffen sowie die verwendeten Angriffsmittel und -methoden, auch anhand konkreter Beispiele und Vorfälle.

Daraus abgeleitet thematisiert der Lagebericht des BSI Lösungsansätze und konkrete Maßnahmenbereiche zur Verbesserung der IT-Sicherheit in Deutschland.

Die technologische Durchdringung und Vernetzung aller Lebens- und Arbeitsbereiche nimmt zu, IT-Systeme und Infrastrukturen werden immer komplexer. Aufgrund der zunehmenden Mobilität ist IT heute allgegenwärtig und zu jeder Zeit und von jedem Ort über das Internet erreichbar. Aus dieser Entwicklung ergeben sich permanent neue Herausforderungen für die IT- und Cyber-Sicherheit in Deutschland und eine dynamische Gefährdungslage. Cyber-Angriffe finden täglich statt und werden zunehmend professioneller und zielgerichteter durchgeführt. Betroffen sind Bürger, Forschungseinrichtungen, staatliche Stellen, Unternehmen und Betreiber Kritischer Infrastrukturen. Viele Angriffe verlaufen erfolgreich, weil die Angreifer über die notwendigen Angriffswerkzeuge verfügen und ihre Angriffsmethoden verbessert haben. So waren 2014 vor allem Angriffe mithilfe von Botnetzen, Phishing oder Social Engineering sowie durch die Kompromittierung von Webseiten oder Werbebannern an der Tagesordnung. Von zunehmender Bedeutung sind Angriffe auf Grundstrukturen des Internets, wie durch "Heartbleed", sowie mit großem Aufwand durchgeführte Angriffe auf bestimmte Ziele, so genannte Advanced Persistent Threats (APT). [Quelle: ]

Bind 9.9.6-P1 & 9.10.1-P1 veröffentlicht

Zurück zum Seitenanfang | Publiziert am

Die Bind Versionen 9.9.6-P1 und 9.10.1-P1 wurden veröffentlicht. Die Versionen beheben ein Problem beim Delegation Handling.

Bind 9.9.6-P1

Introduction BIND 9.9.6-P1 is is a security fix release of BIND 9.9, an Extended Support Version (ESV) of BIND 9. This document summarizes the feature changes from BIND 9.9.5 to BIND 9.9.6-P1. Entries marked with (**) indicate changes since 9.9.6. Please see the CHANGES file in the source code release for a complete list of all changes, including bug fixes. Security Fixes A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI. For more information, see the security advisory at . [CVE-2014-8500] [RT #37580] (**) ...

Bind 9.10.1-P1

Introduction BIND 9.10.1-P1 is a security fix release of BIND 9.10. This document summarizes feature changes from BIND 9.10.0 to BIND 9.10.1-P1. Entries marked with (**) indicate changes since 9.10.1 Please see the CHANGES file in the source code release for a complete list of all changes, including bug fixes. Security Fixes A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI. For more information, see the security advisory at . [CVE-2014-8500] [RT #37580] (**) Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. ISC would like to thank Felipe Ecker for his help discovering these vulnerabilities. For more information, see the security advisory at . [CVE-2014-8680] [RT #37672] [RT #37679] (**) A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf may be incomplete when running rndc reconfig, rndc reload, or sending SIGHUP to named. In theory, this could allow named to allow access to unintended clients or serve wrong data based on geolocation configuration. [RT #37720] (**) A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at . [CVE-2014-3859] [RT #36078] A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at . [CVE-2014-3214] [RT #35899] ...

Let's Encrypt: Mozilla und die EFF mischen den CA-Markt auf

Zurück zum Seitenanfang | Publiziert am

Mozilla, die EFF und weitere Partner wollen SSL/TLS-Zertifikate kostenlos für alle Server-Betreiber bereitstellen, die ihre Webseiten verschlüsseln wollen. Zwei Linux-Befehle sollen reichen, um ein Zertifikat anzufordern und sofort live zu schalten.

Unter dem Namen "Let's Encrypt" wollen Mozilla, Akamai, Cisco und die EFF eine neue, kostenlose Zertifizierungsstelle für SSL/TLS-Zertifikate einrichten. Das gemeinnützige Projekt soll ab Sommer 2015 kostenlose Zertifikate an Administratoren verteilen. Mit neuer Technik soll es wesentlich einfacher werden, Zertifikate anzufordern und zu erneuern – so viel wie möglich davon soll als Open Source zur Verfügung gestellt werden. Anders als bei selbstsignierten Zertifikaten, sollen Browser diesen Zertifikaten vertrauen, ohne dass der Anwender mit einer Fehlermeldung konfrontiert wird.

[Quelle: ]

Microsoft patched schwere TLS-Lücke

Zurück zum Seitenanfang | Publiziert am

Microsoft hat ein Update veröffentlicht, das eine schwere Sicherheitslücke schließt. Die Lücke betrifft Windows Rechner und Server die einen Webserver, einen Mail Server oder einen FTP Server betreiben. Betroffen ist die die Sicherheitskomponente Microsoft Secure Channel. Betreiber sollten das Update schnellst möglich einspielen. Eventuell sind auch andere Services betroffen, insofern sie das Sicherheitsframework verwenden. Microsoft weisst darauf hin, dass es keinen Workaround gibt.

Vulnerability in Schannel Could Allow Remote Code Execution (2992611) This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section. The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability. [Quelle: ]

Google nogotofail network security testing tool

Zurück zum Seitenanfang | Publiziert am

Google hat unter ein Security Testing Tool veröffentlicht, um Sicherheitslücken in Anwendungen und bei SSL/TLS Verbindungen aufzuspüren.

nogotofail Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more. [Quelle: ]

Pigeonhole for Dovecot v2.2 Release v0.4.5 & v0.4.6

Zurück zum Seitenanfang | Publiziert am

hat Pigeonwhole v0.4.5 & v0.4.6 für Dovevot v2.2 veröffentlicht.

v0.4.6 02-11-2014 Stephan Bosch <stephan@rename-it.nl> - After make distclean the distributed tarball would fail to recompile. This causes problems for some distribution builds. v0.4.5 30-10-2014 Stephan Bosch <stephan@rename-it.nl> + Added a Pigeonhole version banner to doveconf output. This way, future bug reports will also include Pigeonhole version information. - Fixed handling of implicit keep. Last version erroneously reported that implicit keep succeeded after an earlier failure, while it in fact had failed. Particularly occurred for mailbox quota errors. - Fixed segfault occurring on SunOS systems when there is no active script.

Pigeonhole for Dovecot v2.2 Release v0.4.4

Zurück zum Seitenanfang | Publiziert am

hat Pigeonwhole v0.4.4 für Dovevot v2.2 veröffentlicht.

v0.4.4 28-10-2014 Stephan Bosch <stephan@rename-it.nl> * Added support for Japanese mail addresses with dots at non-standard places in localpart. * Changed handling of ENOSPACE into a normal temporary failure and added handling of ENOQUOTA as a user error. * Restructured result execution, so that all actions which involve mail storage are always committed before all others. + Implemented support for generic Sieve storages. Using alternative storages now also possible for sieve_before/sieve_after. + Implemented storage driver for retrieving Sieve scripts from LDAP. This currently cannot be used with ManageSieve. + Implemented sieve_redirect_envelope_from setting, which allows configuring the envelope sender of redirected messages. - Fixed handling of mail storage errors occurring while evaluating the input message. - managesieve-login: - Removed bogus ALERT response code returned for AUTHENTICATE command. - Fixed handling of invalid initial response argument to AUTHENTICATE command. - Fixed handling of stream errors in lexical scanner. - Fixed handling of SMTP errors. Permanent and temporary errors were mixed up. - Fixed several problems reported by CLang 3.4. - duplicate extension: Fixed erroneous compile error about conflicting tags when `:handle' argument was used last. - relational extension: Fixed error handling of `:value' match. - editheader extension: Fixed header unfolding and header iteration. - mailbox extension: Fixed the `:create' tag, which erroneously subscribed an existing folder. - extprograms plugin: Fixed handling of error codes. - doveadm-sieve plugin: Fixed several bugs. Synchronization of symbolic link in the file storage should now also work properly.

HTTP Strict Transport Security

Zurück zum Seitenanfang | Publiziert am

ist eine Security opt-in Erweiterung, die mittels eines speziellen Headers von einer Web Applikation gesetzt wird. Unterstützt ein Browser diese Erweiterung, dann wird der Server die Web Applikation nur noch über HTTPS aufrufen. Am einfachsten ist es, auf der HTTP Seite einen Redirect auf den HTTPS Vhost zu konfigurieren und dort den Strict-Transport-Securit Header zu setzen.

Note: Die HTTP Strict Transport Security (HSTS) werden auf https://rz.siegnetz.de auch gesetzt.

HTTP auf HTTPS redirecten

... RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301] ...

Strict-Transport-Security Header setzen

Ist z.B. bei einem Apache Webserver das Modul headers aktiviert, kann man einfach über die Vhost Konfiguration den notwendigen Header setzen.

... <IfModule headers_module> Header add Strict-Transport-Security "max-age=15768000" </IfModule> ...

Mehr zu HTTP Strict Transport Security (HSTS) findet man im .

Dovecot Release v2.2.15

Zurück zum Seitenanfang | Publiziert am

hat Dovecot v2.2.15 veröffentlicht.

Note: Bei mir funktioniert Dovecot v2.2.15 ohne Probleme.

Some small fixes and changes to v2.2.14. This release is mainly in the hope that it could still make it into the next Debian stable instead of v2.2.14 - mainly because of a couple of new assert crashes that started happening in v2.2.14 and should be fixed now.
  • Plugins can now print a banner comment in doveconf output (typically the plugin version)
  • Replication plugin now triggers low (instead of high) priority for mail copying operations.
  • IMAP/POP3/ManageSieve proxy: If destination server can't be connected to, retry connecting once per second up to the value of proxy_timeout. This allows quick restarts/upgrades on the backend server without returning login failures.
  • Internal passdb lookups (e.g. done by lmtp/doveadm proxy) wasn't returning failure in some situations where it should have (e.g. allow_nets mismatch)
  • LMTP uses mail_log_prefix now for logging mail deliveries instead of a hardcoded prefix. The non-delivery log prefix is still hardcoded though
  • + passdb allow_nets=local matches lookups that don't contain an IP address (internally done by Dovecot services)
  • + Various debug logging and error logging improvements
  • - Various race condition fixes to LAYOUT=index
  • - v2.2.14 virtual plugin crashed in some situations

Spamhaus 127.*.*.* Return Codes

Zurück zum Seitenanfang | Publiziert am

Oft gibt es Irretationen bei den Antwort Codes von RBL Abfragen. Zur Erläuterung habe ich die Antwort Codes von Spamhaus mal aufgeführt.

Return Codes

Spamhaus uses this general convention for return codes:
Return Code Description
127.0.0.0/24 Spamhaus IP Blocklists
127.0.1.0/24 Spamhaus Domain Blocklists
127.0.2.0/24 Spamhaus Whitelists
Return codes for Spamhaus IP zones:
Return Code Zone Description
127.0.0.2 SBL Spamhaus SBL Data
127.0.0.3 SBL Spamhaus SBL CSS Data
127.0.0.4 XBL CBL Data
127.0.0.10 PBL ISP Maintained
127.0.0.11 PBL Spamhaus Maintained
We recommend you use SBL together with XBL and PBL, as the three zones block different spam sources. To save you having to query three separate DNSBL zones there is a special combined DNSBL zone called Zen which contains the complete SBL, XBL and PBL data. We recommend you use this combined DNSBL zone for checking SMTP connecting IP. To use it, simply set your mail server's DNSBL check to query zen.spamhaus.org only. (Don't query SBL, XBL or PBL and Zen!)
DNSBL Zone to Query Returns Contains
SBL sbl.spamhaus.org 127.0.0.2-3 Static UBE sources, verified spam services (hosting or support) and ROKSO spammers
XBL xbl.spamhaus.org 127.0.0.4-7 Illegal 3rd party exploits, including proxies, worms and trojan exploits
PBL pbl.spamhaus.org 127.0.0.10-11 IP ranges which should not be delivering unauthenticated SMTP email.
ZEN zen.spamhaus.org 127.0.0.2-11 Combined zone (recommended). Includes SBL, XBL and PBL.

Honeypot attacked URL's

Zurück zum Seitenanfang | Aktualisiert am

Neben den Quell Adressen der Attacken gegen meine Honeypots habe ich die URl's ausgewertet die aufgerufen wurden.

Die häufigsten attackierten Honeypot URL's

/admin /admin/login.php /cgi-bin/hello /cgi-bin/index.cgi /cgi-bin/login.php /cgi-bin/test.cg /login.php /tmUnblock.cgi /typo3 /vtigercrm /webmail/login.php /xmlrpc.php /wp-login.php /wp-admin/admin-ajax.php /wp-signup.php

SSL Funktionalität testen

Zurück zum Seitenanfang | Publiziert am

Wer seine Server und seinen Client auf die Heartbleed oder auf die Poodle SSLv3 Lücke testen möchte, kann dies mit folgenden Tools erledigen.

Nützliche Links um SSL Verbindungen und Zertifkate zu testen

von Qualsys SSL Labs von Thawte, Inc.

Microsoft Active Sync Verbindungen testen

OpenSSL Test Poodle

openssl s_client -connect rz.siegnetz.de:443 -ssl3

OpenSSL Test Heartbleed

openssl s_client -connect rz.siegnetz.de:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe

Blacklist aus Attacken gegen SSH,SMTP,IMAP und HTTP

Zurück zum Seitenanfang Aktualisiert am

Ich habe die Quell Adressen der Attacken gegen unsere Honeypots zusammengefasst. Die Attacken wurden gegen die Services SSH,SMTP,IMAP, und HTTP durchgeführt. Bei Gelegenheit werde ich die Liste aktualisieren und zum Download zur Verfügung stellen.

Blacklist

Note: Die Daten stammen ausschliesslich aus Analysen der SIEGNETZ.IT GmbH und sind nicht für andere repräsentativ. Sie dienen der SIEGNETZ.IT GmbH Statistiken über Attacken und deren Quellen zu erstellen und Gegenmassnahmen zu treffen.

113.160.0.0/16 113.200.0.0/15 114.215.0.0/16 116.120.0.0/13 117.23.0.0/13 117.24.0.0/13 122.155.192.0/19 122.225.0.0/16 122.64.0.0/11 144.0.0.0/16 185.4.29.90 189.203.0.0/16 192.126.120.35 1.93.0.0/16 193.104.41.0/24 212.129.61.0/24 218.2.0.0/15 218.2.0.0/16 218.4.0.0/16 222.184.0.0/13 222.219.0.0/16 49.144.0.0/13 5.160.0.0/16 58.18.0.0/16 58.240.0.0/15 60.166.0.0/15 60.168.0.0/13 60.190.0.0/16 61.140.0.0/14 61.140.0.0/16 61.144.0.0/15 61.146.0.0/16 61.174.0.0/16 62.210.0.0/17 69.64.32.0/19 82.221.0.0/16 88.149.128.0/24 88.80.0.0/16 93.174.88.0/21 94.102.0.0/16 95.181.0.0/16

Server gegen POODLE SSLv3 Vulnerability absichern

Zurück zum Seitenanfang | Aktualisiert am

Apache

Wer seinen Webserver so konfiguriert das SSLv2 und SSLv3 deaktiviert sind, wird seine Seite von einigen Webcrawlern oder Bots nicht mehr erfassen lassen können. Dazu gehört auch der GoogleBot.

SSLHonorCipherOrder on SSLCipherSuite ALL:!ADH:!SSLv2:!SSLv3:!EXPORT56 \ :!EXPORT40:!RC4:!DES:+HIGH:+MEDIUM:+EXP SSLProtocol All -SSLv2 -SSLv3

Dovecot

ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Postfix

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5