I believe you all already know this OpenSSL bug, if you don't, please refer to http://heartbleed.com/ for more details.
Just want to share what you need to do on iRedMail server.
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
* 1.0.1
* 1.0.1a
* 1.0.1b
* 1.0.1c
* 1.0.1d
* 1.0.1e
* 1.0.1f
The bug isn't present in 1.0.1g, nor the 1.0.0 and 0.9.8 branches of OpenSSL.
There's an online site to check this vulnerability for your server: http://filippo.io/Heartbleed/
What is affected on iRedMail server
1) All secure services running with a vulnerable version of openssl:
* Web services (HTTPS, port 443)
* Submission (STARTTLS, port 587)
* SMTPS (SSL, port 465. NOTE: This service is not enabled by default.)
* POP3S/IMAPS (TLS, port 995/993)
* LDAPS (TLS, port 389)
2) Your private key might already have leaked without any notice.
Note: OpenSSH service is *not* affected.
Affected operating systems
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
* Debian 7 (Wheezy), OpenSSL 1.0.1e-2+deb7u4
* Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
* CentOS 6.5, OpenSSL 1.0.1e-15
* OpenBSD 5.4 (OpenSSL 1.0.1c 10 May 2012)
* FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
It's better to check all servers you have.
How to fix it
1: Update openssl package to a fixed version
- For CentOS/RHEL:
Please update openssl package with 'yum update' immediately, make sure you have openssl-1.0.1e-16.el6_5.7 or higher version installed. It's better to update package openssl-devel too. this official fixed version was provided on April 8.
# yum clean metadata
# yum update openssl
- For Debian/Ubuntu: Please update openssl package with 'apt-get' tool.
$ sudo apt-get update
$ sudo apt-get upgrade openssl
- For FreeBSD:
1) please upgrade openssl with port: security/openssl. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
2) update base system by following this tutorial (via a source code patch or binary patch):
http://www.freebsd.org/security/advisor … penssl.asc
- For OpenBSD 5.3/5.4/5.5, you can either rebuild patched source code of OpenBSD base system, or install a binary patch from https://stable.mtier.org/
2: Update your SSL certificates
Please make sure you have the latest openssl.
* If you're running SSL services (https/smtps/submission/...) with a self-signed SSL certificate, please re-generate one to replace existing one. You can generate ssl certificate with script shipped within iRedMail (tools/generate_ssl_keys.sh) or with openssl command directly.
To generate with iRedMail-0.8.6/tools/generate_ssl_keys.sh, please open this file and
edit below parameters:
- TLS_COUNTRY
- TLS_STATE
- TLS_CITY
- TLS_COMPANY
- TLS_DEPARTMENT
- TLS_HOSTNAME
- TLS_ADMIN
Then execute it:
# cd /path/to/iRedMail-0.8.6/tools/
# bash generate_ssl_keys.sh
It will create two new files under current directory, you can replace old ssl certificates with these them:
- certs/iRedMail_CA.pem
- private/iRedMail.key
Default SSL certificates are:
- On CentOS: /etc/pki/tls/certs/iRedMail_CA.pem (cert), /etc/pki/tls/private/iRedMail.key (key)
- On Debian/Ubuntu/FreeBSD: /etc/ssl/certs/iRedMail_CA.pem (cert), /etc/ssl/private/iRedMail.key (key)
- On OpenBSD: /etc/ssl/iRedMail_CA.pem (cert), /etc/ssl/iRedMail.key (key)
* If you're running SSL services with a ssl certificate purchased from a SSL provider, please contact your provider to check whether you need to reissue a new one.
3: Re-generate your SSH private key
You can re-generate SSH private key with command 'ssh-keygen'.
References
Major distribution CVE's and update instructions
- Red Hat: https://access.redhat.com/security/cve/CVE-2014-0160
- CentOS: http://lists.centos.org/pipermail/cento … 20248.html
- Debian: http://www.debian.org/security/2014/dsa-2896
- Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
- FreeBSD: http://lists.freebsd.org/pipermail/free … 01541.html
