STARTTLS and Postfix

**whatisee1** · 03-08-2011, 08:41 AM

Hello folks!

As you may see postings from Wietse Venema - there are some issues with STARTTLS and Postfix:

US-CERT Vulnerability Note VU#555316
Plaintext command injection in multiple implementations of STARTTLS (CVE-2011-0411)

Now, on my systems I see this:

% telnet 0 25
220 myzimbra ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS

% telnet 0 587
220 myzimbra ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS

What is the best way to disable STARTTLS on Zimbra?

Thanks,
W.S.

**whatisee1** · 03-09-2011, 07:08 AM

Hmmm...seems like this Postfix exploit is not a big thing...

**cmccormick** · 04-21-2011, 11:26 AM

My Senior Sys. Admin. thinks it is a big deal and would like to know if there is a fix planned. Anyone have any ideas on this? He sent me to this link:

CVE - CVE-2011-0411 (under review)

**lytledd** · 04-23-2011, 07:18 AM

I'd suggest that you search the bugs page to see if there is a ticket open on it, if you don't find one, then open a ticket with the information that you've got.

Doug

Zimbra

Thread: STARTTLS and Postfix

LinkBack

Thread Tools

Search Thread

Display

STARTTLS and Postfix

Thread Information

Users Browsing this Thread

Similar Threads

530 5.7.0 Must issue a STARTTLS command first

[SOLVED] Inbound external mail, STARTTLS offered?

5.0.2 upgrade Tip (STARTTLS: -11: Connect error)

Postfix error after upgrade from 4.5.9 to 5.0.1

[SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

Posting Permissions