Frank,
Huh. Port's open. I'll have to look into it.
I had it working before the last time I updated Surgemail last week to
the latest beta.
I don't use webmail very often anymore. I need better support of carddav
and caldav, so I switched back to using clients and an external
company's sabre server a few weeks ago. I sure would like to keep it all
in house, though.
The status page says I am still on .0.9.8 so I am sitting tight on my
linux 32bit version 6.6a-1. I've got other work to do tonight. Sorry.
Eric
------ Original Message ------
From: "Frank Bulk" HIDDEN@mypremieronline.com>
To: "surgemailHIDDEN@etwinsite.com" <surgemail-list@netwinsite.com>
Sent: 4/8/2014 6:42:08 PM
Subject: Spam:*********, RE: [SurgeMail List] CVE-2014-0160 a. k.
a.Heartbleed
>Eric,
>
>I found your server's IP address from email header, but it looks like
>you don't have the SSL version of webmail running as port 443 is
>closed.
>
>Frank
>
>-----Original Message-----
>From: Eric Vey [mailtoHIDDEN@@ericvey.com]
>Sent: Tuesday, April 08, 2014 4:47 PM
>To: surgemailHIDDEN@etwinsite.com
>Subject: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
>
>Chris,
>
>From what I read, this is primarily an operating system issue. I don't
>know about Solaris, but Debian based machines, like Ubuntu, have a
>patch.
>
>I took a look and I was still running 0.9.8 (I think like Steffan is)
>which isn't vulnerable -- yet, so I updated to 1.0, then applied the
>patch dated yesterday. Then I restarted the whole server since I don't
>know all the services I am using that access the SSL -- probably a
>bunch
>of them.
>
>I'm not skilled enough to run python scripts.
>
>
>
>------ Original Message ------
>From: "Chris Ferebee" HIDDEN@ebee.net>
>To: surgemailHIDDEN@etwinsite.com
>Sent: 4/8/2014 5:20:26 PM
>Subject: Spam:***********, Re: Spam:*********, Re: [SurgeMail List]
>CVE-2014-0160 a. k. a.Heartbleed
>
>>Steffen,
>>
>>AFAICS SurgeMail is statically linked to OpenSSL, at least on OS X and
>>Solaris x64, cf. also the release note on version 6.6b-9.
>>(Experimental
>>Windows build with OpenSSL 1.0.1f.)
>>
>>But every platform appears to have a different version, presumably
>>whatever is well-supported. I tested SurgeMail 6.6a on OS X 10.6.8 and
>>SmartOS. The OS X build was not vulnerable, the Solaris x64 one was.
>>
>>Best,
>>Chris
>>
>>Am 08.04.2014 um 22:11 schrieb Steffen HIDDEN@n@land10.nl>:
>>
>>>
>>> Current OpenSSL version of Surgemail is 0.9.8r.
>>>
>>> OpenSSL 0.9.8 branch is NOT vulnerable.
>>>
>>> Steffen
>>>
>>>
>>> On Tuesday 08/04/2014 at 21:59, Peter Dyke wrote:
>>>> Interestingly enough, when using the self-signed cert,
>>>>
>>>> SurgeMail Version 6.5b-13, Built Oct 17 2013 08:35:02, Platform
>>>>Linux_64
>>>>
>>>> simply does not run the Heartbleed test script, instead returns
>>>>
>>>> dial tcp 143.*.*.*:443: connection refused
>>>>
>>>> (IP address redacted)
>>>>
>>>>
>>>> On 4/8/2014 12:29 PM, Chris Ferebee wrote:
>>>>>
>>>>> It’s a doozy all right. There’s a nice overview at
>>>>>
>>>>>
>>>>><https://maclemon.at/blog/2014/04/07/openssl-heartbeat-cve-2014-0160/>
>>>>>
>>>>> with links to some sample exploits as python scripts. You can run
>>>>>them (non-destructively) against your SurgeMail server to see what
>>>>>they turn up. I saw a bunch of sensitive information when I tried
>>>>>it
>>>>>earlier today. It is perfectly possible that this can be exploited
>>>>>to divulge your SSL private keys. We will all need to revoke our
>>>>>certificates and order new ones once we’re patched. It might be
>>>>>appropriate to issue new mail passwords.
>>>>>
>>>>> If you can install your certs on your load-balancer and proxy the
>>>>>SSL traffic, yes, that seems like it would help, as long as your
>>>>>load-balancer is not vulnerable.
>>>>>
>>>>> Best,
>>>>> Chris
>>>>>
>>>>> Am 08.04.2014 um 21:00 schrieb Frank Bulk
>>>>>HIDDEN@mypremieronline.com>:
>>>>>
>>>>>>
>>>>>> When I reviewed the issue last night I wasn't overly concerned,
>>>>>>thinking this was more MiTM attack, but after reviewing
>>>>>>http://heartbleed.com/ more carefully, it seems like they could
>>>>>>potentially walk through memory in 64 kilobyte chunks and retrieve
>>>>>>other content.
>>>>>>
>>>>>> Can we get some new binaries yet today?
>>>>>>
>>>>>> Is the temporary mitigation to use SSL from the load-balancer in
>>>>>>front of our two Surgemail servers?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Frank
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Chris Ferebee [mailtoHIDDEN@ebee.net]
>>>>>> Sent: Tuesday, April 08, 2014 6:46 AM
>>>>>> To: surgemailHIDDEN@etwinsite.com
>>>>>> Subject: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed
>>>>>>
>>>>>> ChrisP, Marijn,
>>>>>>
>>>>>> When you have a moment, could you please let us know what the
>>>>>>status of SurgeMail is WRT the CVE-2014-0160 a. k. a. Heartbleed
>>>>>>SSL exploit?
>>>>>>
>>>>>> I have a server running SurgeMail 6.6a on a version of SmartOS
>>>>>>(Solaris x64) with OpenSSL 1.0.1e installed, and it is vulnerable
>>>>>>as per
>>>>>>
>>>>>> <http://filippo.io/Heartbleed/>
>>>>>>
>>>>>> and other example exploits. A different server running SurgeMail
>>>>>>6.6a on OS X 10.6.8 (which includes OpenSSL 0.9.8y) is not
>>>>>>vulnerable.
>>>>>>
>>>>>> However, as far as I can tell, SurgeMail does not dynamically
>>>>>>link
>>>>>>OpenSSL from the host platform in either case and therefore
>>>>>>presumably comes with its own, statically linked version.
>>>>>>
>>>>>> Therefore, it appears that we urgently need a fixed version of
>>>>>>SurgeMail, e. g. 6.6a, in my case for Solaris x64, presumably also
>>>>>>for some of the other platforms. Do you have an ETA for that yet?
>>>>>>
>>>>>> Best,
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>
>
>---
>This email is free from viruses and malware because avast! Antivirus
>protection is active.
>http://www.avast.com
>
>
>
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
|
