1

Topic: About OpenSSL vulnerability: HeartBleed

I believe you all already know this OpenSSL bug, if you don't, please refer to http://heartbleed.com/ for more details.

Just want to share what you need to do on iRedMail server.

The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in

* 1.0.1
* 1.0.1a
* 1.0.1b
* 1.0.1c
* 1.0.1d
* 1.0.1e
* 1.0.1f

The bug isn't present in 1.0.1g, nor the 1.0.0 and 0.9.8 branches of OpenSSL.

There's an online site to check this vulnerability for your server: http://filippo.io/Heartbleed/

What is affected on iRedMail server

1) All secure services running with a vulnerable version of openssl:

* Web services (HTTPS, port 443)
* Submission (STARTTLS, port 587)
* SMTPS (SSL, port 465. NOTE: This service is not enabled by default.)
* POP3S/IMAPS (TLS, port 995/993)
* LDAPS (TLS, port 389)

2) Your private key might already have leaked without any notice.

Note: OpenSSH service is *not* affected.

Affected operating systems

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

* Debian 7 (Wheezy), OpenSSL 1.0.1e-2+deb7u4
* Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
* CentOS 6.5, OpenSSL 1.0.1e-15
* OpenBSD 5.4 (OpenSSL 1.0.1c 10 May 2012)
* FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013

It's better to check all servers you have.

How to fix it
1: Update openssl package to a fixed version

- For CentOS/RHEL:

Please update openssl package with 'yum update' immediately, make sure you have openssl-1.0.1e-16.el6_5.7 or higher version installed. It's better to update package openssl-devel too. this official fixed version was provided on April 8.

# yum clean metadata
# yum update openssl

- For Debian/Ubuntu: Please update openssl package with 'apt-get' tool.

$ sudo apt-get update
$ sudo apt-get upgrade openssl

- For FreeBSD:

1) please upgrade openssl with port: security/openssl. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
2) update base system by following this tutorial (via a source code patch or binary patch):
http://www.freebsd.org/security/advisor … penssl.asc

- For OpenBSD 5.3/5.4/5.5, you can either rebuild patched source code of OpenBSD base system, or install a binary patch from https://stable.mtier.org/

2: Update your SSL certificates

Please make sure you have the latest openssl.

* If you're running SSL services (https/smtps/submission/...) with a self-signed SSL certificate, please re-generate one to replace existing one. You can generate ssl certificate with script shipped within iRedMail (tools/generate_ssl_keys.sh) or with openssl command directly.

To generate with iRedMail-0.8.6/tools/generate_ssl_keys.sh, please open this file and
edit below parameters:

- TLS_COUNTRY
- TLS_STATE
- TLS_CITY
- TLS_COMPANY
- TLS_DEPARTMENT
- TLS_HOSTNAME
- TLS_ADMIN

Then execute it:

# cd /path/to/iRedMail-0.8.6/tools/
# bash generate_ssl_keys.sh

It will create two new files under current directory, you can replace old ssl certificates with these them:

- certs/iRedMail_CA.pem
- private/iRedMail.key

Default SSL certificates are:

- On CentOS: /etc/pki/tls/certs/iRedMail_CA.pem (cert), /etc/pki/tls/private/iRedMail.key (key)
- On Debian/Ubuntu/FreeBSD: /etc/ssl/certs/iRedMail_CA.pem (cert), /etc/ssl/private/iRedMail.key (key)
- On OpenBSD: /etc/ssl/iRedMail_CA.pem (cert), /etc/ssl/iRedMail.key (key)

* If you're running SSL services with a ssl certificate purchased from a SSL provider, please contact your provider to check whether you need to reissue a new one.

3: Re-generate your SSH private key

You can re-generate SSH private key with command 'ssh-keygen'.

References

Major distribution CVE's and update instructions

- Red Hat: https://access.redhat.com/security/cve/CVE-2014-0160
- CentOS: http://lists.centos.org/pipermail/cento … 20248.html
- Debian: http://www.debian.org/security/2014/dsa-2896
- Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
- FreeBSD: http://lists.freebsd.org/pipermail/free … 01541.html