Chris,

 

When do you think you’ll have a fix for the Apple issue? Our helpdesk has been very busy…

 

Frank

 

From: surgemail-support [mailto:surgemail-support@netwinsite.com]

Sent: Wednesday, April 09, 2014 5:06 PM

To: surgemail-list@netwinsite.com

Subject: re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed

 

Hmmm, I don't get the logic of 'turning off ssl2' to increase security, so then a client that can only use ssl2 has to use plain text, which is definitely not as secure as ssl2.... :-) But anyway, it's a bit accademic as old clients that require ssl2 probably hardly exist anymore.

 

This setting will help with your score... (restart surgemail after changing)

G_SSL_DISABLE_SSLV2 "TRUE"

 

Once we have the new builds stable then an upgrade and some more setting will get you a higher rating. I suggest you wait until next week if you don't have an immediate problem.

 

ChrisP.

 

 

When I run:

 

https://www.ssllabs.com/ssltest/index.html

 

on my SurgeMail server it gets an F grade.

 

It is running on a Windows server box and only Surgemail uses port 443

or SSL.

 

SurgeMail Version 6.5a-1, Built Sep 9 2013 12:52:22, Platform Windows (Surgeweb Enabled)

 

 

In particular, the test notes that:

* This server is not vulnerable to the Heartbleed attack. (Yay!)

* This server supports SSL 2, which is obsolete and insecure. Grade set

to F. (Boo!)

* The server supports only older protocols, but not the current best TLS

1.2. Grade capped to B. (Boo!)

 

Is there any way to harden SurgeMail to raise these ratings? A

Surgemail.ini setting or two? Or does in need a new build?

 

Thanks

Neil

 

--

Neil Herber