[SAC] [OSGeo] #2626: OSGeo6 security remediation

Mon Jul 12 15:50:40 PDT 2021

#2626: OSGeo6 security remediation
---------------------------+----------------------------------------
 Reporter:  robe           |       Owner:  sac@…
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Sysadmin Contract 2021-II
Component:  Systems Admin  |  Resolution:
 Keywords:                 |
---------------------------+----------------------------------------

Comment (by robe):

 to remedy:

 1) was pointing at doc.geotools.org -- setup a fake site to show "Nothing
 here" as the default
  And setup to get a letsencrpt cert for osgeo6.osgeo.osuosl.org

 2) Mail was using expired wildcard cert -- changed to use the letsencrypt
 one for lists.osgeo.org by editing
  /etc/postfix/main.cf and also updated cypers

 {{{
 #smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
 aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
 smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
 smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

 tls_high_cipherlist =
 kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3D$
 tls_medium_cipherlist =
 kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
 }}}

 {{{

 systemctl restart postfix
 }}}

-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2626#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.