List of email providers who have patched for Heartbleed vulnerability!

[ioneja]

Hi fellow email enthusiasts,

I've been reading about the Heartbleed vulnerability, and I decided to run some tests on a few email services I currently use, have used, or have considered using... please feel free to update this thread as email providers update (or DON'T update) their servers, as the case may be.

I used https://www.ssllabs.com/ to see if they have updated their servers.

For example, https://www.ssllabs.com/ssltest/anal...?d=fastmail.fm

List of services that have ALREADY updated their servers:

As of about 2:30am GMT, here are some I tested:

Luxsci - PASS, and they have a great blog post about it. But they have not yet replaced their cert, which should be happening very soon.

Fastmail - PASS, and they have a quick blog post, AND they have replaced their cert! Well done! And fast, too.

Runbox - PASS, and they have replaced their cert! Well done! Forum post from Runbox staff confirms this as well.

MyKolab - PASS, but they have NOT replaced their cert. Not sure if they were ever vulnerable, not sure what version of OpenSSL they used, so maybe they don't need to replace their cert. Someone care to comment?

Tuffmail - PASS, but they have NOT replaced their cert. Not sure if they were ever vulnerable, though.

Polarismail - FAIL, ssllabs test says "This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental) " -- Please update this thread if someone finds out they've patched their server!

I didn't bother testing Microsoft/Office365 (for obvious reasons) or Google, since presumably they are not vulnerable or (in the case of Google) they have already patched since they are one of the organizations that discovered the bug, to my understanding.

Please update the thread for your favorite (or not-so-favorite) providers...

[Zero3K]

Openmailbox is no longer vulnerable to the Heartbleed attack.

[petergh]

Shouldn't we be testing the MX/SMTP/POP/IMAP servers instead of the web servers (e.g., fastmail.fm, runbox.com)?

[Berenburger]

EUMX - FAIL, ssllabs test says "This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental) " -- Please update this thread if someone finds out they've patched their server!

https://www.ssllabs.com/ssltest/anal...d=ssl.eumx.net

[Berenburger]

Quote:

Originally Posted by ioneja

Tuffmail - PASS, but they have NOT replaced their cert. Not sure if they were ever vulnerable, though.

Did you test https://webmail.tuffmail.net?

OK, not vulnerable to the Heartbleed attack. (Experimental) but overall a F because:

• This server supports SSL 2, which is obsolete and insecure. Grader set to F.
• This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
• The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
• There is no support for secure renegotiation.
• The server does not support Forward Secrecy with the reference browsers.

Tuffmail.com:

• This server is not vulnerable to the Heartbleed attack. (Experimental)
• This server does not mitigate the CRIME attack. Grade capped to B.
• The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
• The server does not support Forward Secrecy with the reference browsers

[fabule]

Eumx.net is patched and get's A on ssllabs test.

Quote:

Originally Posted by Berenburger

EUMX - FAIL, ssllabs test says "This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental) " -- Please update this thread if someone finds out they've patched their server!

https://www.ssllabs.com/ssltest/anal...d=ssl.eumx.net

[Cory]

Rackspace Apps (email hosting plan) passes https://www.ssllabs.com/ssltest/anal...&s=69.20.91.24

Polarismail when testing their Enhanced webmail login https://www.ssllabs.com/ssltest/anal...emailarray.com does not pass.

[Dutchie007]

mail.ru,Yandex and rambler all NOT vulnerable:-)

Nice!!

source:https://github.com/musalbas/heartble...er/top1000.txt
Dutchie

[n5bb]

Quote:

Originally Posted by petergh

Shouldn't we be testing the MX/SMTP/POP/IMAP servers instead of the web servers (e.g., fastmail.fm, runbox.com)?

The Heartbleed bug affects any transport service (https on websites, email connections, VPN, etc.) using certain recent unpatched versions of the popular OpenSSL software libraries for a secure connection. Someone using an exploit based on the bug can read a random 64KB block of memory on the server performing the secure connection. This might allow discovery of security keys, usernames, passwords, and the content of web pages or emails. This is due to leaking the current content of random memory blocks on that one communication server. You could think of this as flipping randomly through channels on your television - current live communication to/from anyone using that server might be exposed, or might not be exposed. If a WiFi access point or other device (such as software running on a PC or mobile pad or phone) uses this library, supposedly secure connection servers you interact with might be able to read random memory blocks on your device or the WiFi access point or a wired router. Windows itself is not affected directly, but many servers and devices are.

This is a very bad bug which could affect all networked secure communication. Think of it as malware installed in the operating system and BIOS of some devices - but we don't know which ones, since there are so many such devices we use. See more comments here:
http://security.stackexchange.com/a/55121

So yes, both website and SMTP/IMAP/POP servers should be checked. Depending on the email service, the domains (and so the security certificates) may be different for web and SMTP/IMAP/POP connections. For example, Fastmail uses FastMail.fm for their website but messagingengine.com for email clients and email MTA to MTA connections. Unfortunately (due to load sharing and other considerations) you can't be assured that all servers are patched by just running an external test a few times.

Some email servers do not encrypt MTA to MTA SMTP connections between email systems. So that connection is not subject to this bug, although any email communications could be monitored by others with access to that physical interface link.

The link given earlier to the Qualys SSL Labs tool only tests https secure website servers, so it can't tell you if an email server is susceptible to the Heartbleed bug, only webmail connections. The following tool seems to also test SMTP/IMAP/POP servers:
http://filippo.io/Heartbleed/

Bill

[ioneja]

Thank you for the info -- very helpful! This is apparently a very far-reaching bug indeed!

Of the ones I initially tested, if we take the word of the system admins (and I see no reason not to in this case), Luxsci, FastMail and Runbox have all stated publicly that they have patched their servers. That also adds to the confidence level.

If some other providers have announced that they have patched, please update this thread.

[fabule]

Quote:

Originally Posted by fabule

Eumx.net is patched and get's A on ssllabs test.

Issue is fixed, certificates are replaced as well. Please change your passwords.

Note: Only web services where affected at Eumx.net, but since private keys may leaked we were replaced our keys and certs on all servers.

We had a log research back from 1st January and if we assume authenticated users are not hackers. It's quite unlikely we were attacked, but if someone had our private keys he/she were able to read live traffic from our servers like when you are using simple http protocol. Memory of our front-end web servers doesn't contain user data, password nor emails. So to be able to sniff user data, passwords etc attacker should be able to record our traffic (ISP, transit providers and some 3 letter orgs... but not a talented guy from home)

[Havokmon]

The filippo site wasn't very good when I tried using it. Here's a good link for testing all ports.
http://possible.lv/tools/hb/

VFEmail was patched 4/8.

[George_B]

All of our servers are configured against an older version of openssl which was not vulnerable.

This includes the basic webmail but not the Enhanced Webmail platform which was recently updated in order to provide the latest communication protocols. This was also true for the www.polarismail.com website. This bug did not affect our control panel, IMAP, SMTP or POP3 servers in any way.

We are in the process of replacing the certificates as well.

Edit: to clarify. Even if the bug was known to some for the past few years, all of our software is compiled against an older version of openssl which was never vulnerable.
We updated the Enhanced e-mail platform recently in order to support TLS for web communication and it turned out to be the vulnerable version. This means that only communication for the past 2-3 months might have been compromised and only for the Enhanced users. The Enhanced platform contains no details about user accounts except what it receives and passes on to our back-end IMAP servers. Enhanced users are thus recommended to change their passwords just to be safe.

[Berenburger]

Pobox not vulnerable anymore.
http://blog.pobox.com/2014/04/heartb...-security.html

[jofallon]

but working pretty slowly, at least for me. Possibly due to problems propagating the certificate info; I can't reach it reliably. No trouble with fastmail for me.