This is why NetWin started building SurgeMail for Windows with OpenSSL 1.0.1 recently.

Unfortunately, that introduced the Heartbleed vulnerability (made public 2 days ago), which is so bad that all those other weaknesses are chickenshit in comparison.

The new build will be better, but is currently (6.6c-1) unusable if you have iOS and possibly other smartphone users, as they are seeing emails with an empty body when connecting to 6.6c-1 via IMAP. (Multiple platforms are affected.)

Be grateful that you aren’t hit by Heartbleed and therefore don’t need to revoke and re-issue all your certs. Wait for the dust to settle.

Best,
Chris


Am 09.04.2014 um 23:14 schrieb Neil Herber (nospam) HIDDEN@@eton.ca>:

> 
> When I run:
> 
> https://www.ssllabs.com/ssltest/index.html
> 
> on my SurgeMail server it gets an F grade.
> 
> It is running on a Windows server box and only Surgemail uses port 443
> or SSL.
> 
> SurgeMail Version 6.5a-1, Built Sep  9 2013 12:52:22, Platform Windows (Surgeweb Enabled)
> 
> 
> In  particular, the test notes that:
> * This server is not vulnerable to the Heartbleed attack. (Yay!)
> * This server supports SSL 2, which is obsolete and insecure. Grade set
> to F. (Boo!)
> * The server supports only older protocols, but not the current best TLS
> 1.2. Grade capped to B. (Boo!)
> 
> Is there any way to harden SurgeMail to raise these ratings? A
> Surgemail.ini setting or two? Or does in need a new build?
> 
> Thanks
> Neil
> 
> -- 
> Neil Herber
> 
> 
>