[Ach] BetterCrypto guide - POSTFIX configuration mistake / missing parameter

Christian Fischer christian.fischer at greenbone.net
Fri Dec 23 17:33:28 CET 2016

Hi list,

On 15.10.2016 14:54, Christian Fischer wrote:
> In general its not planned to completely drop the check for old ciphers
> on mail servers. As explained at the linked OpenVAS mailinglist the
> first step is to not mark other servers then Webservers vulnerable for
> the HTTP(S) only attacks like BEAST, Lucky13 and Sweet32.
> There will be also some reworks on the reporting of SSL issues itself in
> OpenVAS. After this is finished the finial step is to not mark MTAs with
> opportunistic TLS as running with weak ciphers.

just want to let you know that the mentioned reworks have been finished
(had to do a lot of rework on the base reporting first):

- SWEET32 / 3DES ciphers are now only reported for HTTPS services
- Weak ciphers for SMTP on 25/tcp with opportunistic TLS are now
reported without a severity (log level). People are still free to
overwrite the severity and mark a vulnerability for it.

I'm still unsure about BEAST and Lucky13 as i have read different
opinions about these attacks in the past. If these attacks are really
only practicable via HTTPS the reporting of weak ciphers could be also
moved to HTTPS services only.

As always, feedback is very welcome.



Christian Fischer | Greenbone Networks GmbH | http://greenbone.net
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

More information about the Ach mailing list