1 reply to this topic

[syed jahanzaib]

We are using Barracuda EG 300 (with ATP). Email Flow is something like below

 

• All emails first arrives to Barracuda CPL, then to > to our Gateway Router > then to our local ESG300 device > then to our email server which is IBM Lotus Domino 8.5.3 FP6.

Recently an internet/External Audit was conducted on our network, & the auditors have raised following points related to Barracuda ESG.

 

SSLv3 protocol for incoming SMTP connections was enabled. Further, Point to Point tunneling protocol (PPTP) for remote access is used by privileged administrator Vulnerable SSL version was enabled.

The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself.  TLS version 1.1 or higher should be configured instead of SSL version 3 TLSv1.0  protocol for incoming  SMTP connections was enabled. Further, Point to Point tunneling protocol (PPTP) for remote access is used by privileged administrator Vulnerable TLS version was enabled. TLS version should be reconfigured to only support version 1.1 or higher

 

I can assume that pointed related to PPTP is by mistake, but what about SSLv3 and TLSv1.0 ?

 

[Tim Dingus]

I don't work for Barracuda but on the ESG 300 you can turn SSLv3 and TLSv1.0 on and off for email under Advanced | Email Protocol.  Then scroll to the bottom and select No for both of them.