Do we know if dovecot is vulnerable to the heartbleed SSL problem? I'm running dovecot-2.0.9 and openssl-1.01, the latter being intrinsically vulnerable. An on-line tool says that my machine is not affected on port 993 but it would be nice to know for sure if we were vulnerable for a while. (Naturally I've blocked it anyway!). Thanks John
* John Rowe <J.M.Rowe at exeter.ac.uk>:> Do we know if dovecot is vulnerable to the heartbleed SSL problem?ANY application using the affected OpenSSL versions is vulnerable. That includes dovecot.> I'm running dovecot-2.0.9 and openssl-1.01, the latter being > intrinsically vulnerable. An on-line tool says that my machine is not > affected on port 993 but it would be nice to know for sure if we were > vulnerable for a while. (Naturally I've blocked it anyway!). > > Thanks > > John-- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 08.04.2014 19:00, schrieb John Rowe:> Do we know if dovecot is vulnerable to the heartbleed SSL problem? > > I'm running dovecot-2.0.9 and openssl-1.01, the latter being > intrinsically vulnerable. An on-line tool says that my machine is not > affected on port 993 but it would be nice to know for sure if we were > vulnerable for a while. (Naturally I've blocked it anyway!). >Usually all programs are linked dynamically to the library, so the vulnerability depends on the library only. If you updated the library today and restarted the service (!!) then it is very likely that your mail installation is not vulnerable any more. Otherwise it is very likely to be vulnerable, regardless what tests say. JC
On 8.4.2014, at 20.00, John Rowe <J.M.Rowe at exeter.ac.uk> wrote:> Do we know if dovecot is vulnerable to the heartbleed SSL problem?It may be possible that the attacker was able to get the SSL private key(s), although this depends on the OS and its memory allocation patterns. If you use only a single SSL cert I think it might be possible that it doesn't leak with Dovecot, but it's definitely not a good idea to trust that. I haven't anyway looked closely enough into this to verify, I'm just guessing based on the information in http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html By default Dovecot's login processes run in the "high security mode" where each IMAP/POP3 connection runs in its own process. This was done especially to avoid security bugs in OpenSSL from leaking users' passwords. So unless you have switched to the "high performance mode", users' passwords or other sensitive data couldn't have been leaked. http://wiki2.dovecot.org/LoginProcess Would be nice if it was possible to hide the SSL private keys to separate processes as well, but that would probably require changes to OpenSSL itself. (BTW. I've been too busy recently to even have time to read any mails in Dovecot list. I'll try to go through at least most of it before making the next Dovecot release. And hopefully by summer I've more time again.)