Synopsis
During internal testing, we identified that in certain cases SMTP data is sent in clear text when SMTP is configured without authentication but with TLS..
Potentially impacted systems need to meet all the conditions below:
- InfiniBox systems running releases earlier than 4.0.30.
InfiniGuard systems running release 2.0.x or 3.0.x (2.1.x, 3.1.x are not affected). - STMP is set without authentication (no user name is set)
- SMTP TLS is set to TRUE
Possible Solutions
We always recommend upgrading systems to one of the newer releases. Discuss the recommended upgrade path with your Technical Advisor.
If upgrading is not possible at this point in time, contact INFINIDAT support to discuss the following mitigation:
- Populate the username and passwords fields
- Make sure that the correct certificate is installed. If it is not, install it
- Restart the mgmt service to apply the changes
FAQ
Q: Does it affect the end-to-end communications?
A: If the customer SMTP server is in use, only the connection between InfiniBox and the customer's mail server is affected. The transport encryption outside the customer's mail server depends on the server configuration.
Q: Can I setup a secure connection directly between InfiniBox/InfiniGuard and INFINIDAT Call Home Server?
A: Yes, if the network configuration allows InfiniBox to initiate traffic towards the Internet. Contact your TA for additional details.
Last edited: 2023-05-23 20:34:46 UTC
Comments