Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Nessus finds 3 Holes in Kerio Mailserver 6.3.0
  •  
dataman

Messages: 2
Karma: 0
Send a private message to this user
Hi there!

I'm testing a Kerio Mailserver 6.3.0 Installation. I like the Mailserver! Easy administration, good handling ;)

I ran nessus targeting my kerio installation.

You can see the report in the attachement.

Don't mind the smtp relay warning, for testing i set the server to open relay.

But there were 2 things i didnt like:
1. sslv2 and not at least sslv3 or tls
2. the holes in the webserver

My question:
Does this come from the base system? (fedora core 4), or has the mailserver itself to do with that?

(without the mailserver running, there is no open port on my system)

  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
Makes me once again wish Kerio had a separate piece for putting in the DMZ so I don't have to open up direct access to the Kerio server.

Your report recommends using a reverse proxy. That's what I'm in the process of setting up. I have SQUID doing reverse proxy from the DMZ to the Kerio box. With Squid you can allow only SSL V3 and TLS if you want. You can use SquidGauard to help block attacks by limited access. You could add LDAP authentication to the Squid so that they have to log in before they can even send requests to the Kerio box, though I will not be doing this myself.

I am mapping the HTTPS on Squid to the HTTP port on Kerio so it will pass by two of my commercial antivirus/malware HTTP scanners. These block attacks such as large headers, invalid headers, etc.

But it sure would be nice if Kerio did this out of the box.

http://secunia.com/product/3782/?task=advisories
http://secunia.com/product/1725/?task=advisories
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Both reported "holes" are false positives. KMS supports the SSLv2, SSLv3, and TLSv1 protocol. It's up to the client to decide which will be used. Webserver hole was reported against IIS 5.0 WebDAV interface so it is clear that Nessus incorrectly identified KMS webserver as IIS.
  •  
dataman

Messages: 2
Karma: 0
Send a private message to this user
Funny that nessus finds holes from iis on an linux based webserver.

The second one:
How can i disable sslv2 and force the server to ONLY work with sslv3 or tls?

(this one isnt a false positive due sslv2 is vulnerable for real in some cases)

[Updated on: Wed, 06 December 2006 17:47]

Previous Topic: Windows server - php - kerio mail
Next Topic: smtp;553 sorry, relaying denied from your location
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 01:42:20 CET 2017

Total time taken to generate the page: 0.00359 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.