Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Waragainstsleep

macrumors 6502a
Original poster
Oct 15, 2003
616
223
UK
I look after an up to date 10.8.5 mail and file server on an all Mac network for a company who sells on the internet. They are required to be PCI-DSS compliant to take card payments and be properly insured for that.

Last PCI scan failed due to the POODLE vulnerability so I updated with Apple's patch for the issue but it hasn't fixed the problem. Both the PCI scan and this tester tool site https://www.poodlescan.com say that there are issues.

The PCI scan flags the fault on port 993, it seems I have been able to fix port 25. The test website says 25 is ok for SSLv3, but still has SSLv2 enabled.

I've scoured the config files for both Dovecot and Postfix in /Library/Server/Mail/Config for references to the cipher suites that are accepted by the two services and have even tried a number of changes and extra entries (based on *NIX implementations) and only succeeded in cutting off all IMAP access.

My Mail log has multiple entries about "invalid TLS cipher list" and refers to /SourceCache/OpenSSL098/OpenSSL098-52.1/src/ssl/ssl_lib.c
which confuses me because /SourceCache does not exist on this machine when I try to go look at it.

This is causing me headaches. I don't know why Apple can't document these things or just leave them as they are in the standard open source implementations.

Does anyone know what I have to do in order to properly disable SSLv2 and SSLv3 without nerfing IMAP and SMTP altogether?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.