Topic: About OpenSSL vulnerability: HeartBleed
I believe you all already know this OpenSSL bug, if you don't, please refer to http://heartbleed.com/ for more details.
Just want to share what you need to do on iRedMail server.
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
The bug isn't present in 1.0.1g, nor the 1.0.0 and 0.9.8 branches of OpenSSL.
There's an online site to check this vulnerability for your server: http://filippo.io/Heartbleed/
What is affected on iRedMail server
1) All secure services running with a vulnerable version of openssl:
* Web services (HTTPS, port 443)
* Submission (STARTTLS, port 587)
* SMTPS (SSL, port 465. NOTE: This service is not enabled by default.)
* POP3S/IMAPS (TLS, port 995/993)
* LDAPS (TLS, port 389)
2) Your private key might already have leaked without any notice.
Note: OpenSSH service is *not* affected.
Affected operating systems
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
* Debian 7 (Wheezy), OpenSSL 1.0.1e-2+deb7u4
* Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
* CentOS 6.5, OpenSSL 1.0.1e-15
* OpenBSD 5.4 (OpenSSL 1.0.1c 10 May 2012)
* FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
It's better to check all servers you have.
How to fix it
1: Update openssl package to a fixed version
- For CentOS/RHEL:
Please update openssl package with 'yum update' immediately, make sure you have openssl-1.0.1e-16.el6_5.7 or higher version installed. It's better to update package openssl-devel too. this official fixed version was provided on April 8.
# yum clean metadata # yum update openssl
- For Debian/Ubuntu: Please update openssl package with 'apt-get' tool.
$ sudo apt-get update $ sudo apt-get upgrade openssl
- For FreeBSD:
1) please upgrade openssl with port: security/openssl. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
2) update base system by following this tutorial (via a source code patch or binary patch):
http://www.freebsd.org/security/advisor … penssl.asc
- For OpenBSD 5.3/5.4/5.5, you can either rebuild patched source code of OpenBSD base system, or install a binary patch from https://stable.mtier.org/
2: Update your SSL certificates
Please make sure you have the latest openssl.
* If you're running SSL services (https/smtps/submission/...) with a self-signed SSL certificate, please re-generate one to replace existing one. You can generate ssl certificate with script shipped within iRedMail (tools/generate_ssl_keys.sh) or with openssl command directly.
To generate with iRedMail-0.8.6/tools/generate_ssl_keys.sh, please open this file and
edit below parameters:
Then execute it:
# cd /path/to/iRedMail-0.8.6/tools/ # bash generate_ssl_keys.sh
It will create two new files under current directory, you can replace old ssl certificates with these them:
Default SSL certificates are:
- On CentOS: /etc/pki/tls/certs/iRedMail_CA.pem (cert), /etc/pki/tls/private/iRedMail.key (key)
- On Debian/Ubuntu/FreeBSD: /etc/ssl/certs/iRedMail_CA.pem (cert), /etc/ssl/private/iRedMail.key (key)
- On OpenBSD: /etc/ssl/iRedMail_CA.pem (cert), /etc/ssl/iRedMail.key (key)
* If you're running SSL services with a ssl certificate purchased from a SSL provider, please contact your provider to check whether you need to reissue a new one.
3: Re-generate your SSH private key
You can re-generate SSH private key with command 'ssh-keygen'.
Major distribution CVE's and update instructions
- Red Hat: https://access.redhat.com/security/cve/CVE-2014-0160
- CentOS: http://lists.centos.org/pipermail/cento … 20248.html
- Debian: http://www.debian.org/security/2014/dsa-2896
- Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
- FreeBSD: http://lists.freebsd.org/pipermail/free … 01541.html