|
Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere. |
|
Thread Tools |
9 Apr 2014, 11:53 AM | #1 |
Cornerstone of the Community
Join Date: Jul 2011
Posts: 713
|
List of email providers who have patched for Heartbleed vulnerability!
Hi fellow email enthusiasts,
I've been reading about the Heartbleed vulnerability, and I decided to run some tests on a few email services I currently use, have used, or have considered using... please feel free to update this thread as email providers update (or DON'T update) their servers, as the case may be. I used https://www.ssllabs.com/ to see if they have updated their servers. For example, https://www.ssllabs.com/ssltest/anal...?d=fastmail.fm List of services that have ALREADY updated their servers: As of about 2:30am GMT, here are some I tested: Luxsci - PASS, and they have a great blog post about it. But they have not yet replaced their cert, which should be happening very soon. Fastmail - PASS, and they have a quick blog post, AND they have replaced their cert! Well done! And fast, too. Runbox - PASS, and they have replaced their cert! Well done! Forum post from Runbox staff confirms this as well. MyKolab - PASS, but they have NOT replaced their cert. Not sure if they were ever vulnerable, not sure what version of OpenSSL they used, so maybe they don't need to replace their cert. Someone care to comment? Tuffmail - PASS, but they have NOT replaced their cert. Not sure if they were ever vulnerable, though. Polarismail - FAIL, ssllabs test says "This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental) " -- Please update this thread if someone finds out they've patched their server! I didn't bother testing Microsoft/Office365 (for obvious reasons) or Google, since presumably they are not vulnerable or (in the case of Google) they have already patched since they are one of the organizations that discovered the bug, to my understanding. Please update the thread for your favorite (or not-so-favorite) providers... |
9 Apr 2014, 01:26 PM | #2 |
Member
Join Date: Jun 2005
Posts: 58
|
Openmailbox is no longer vulnerable to the Heartbleed attack.
|
9 Apr 2014, 03:11 PM | #3 |
Master of the @
Join Date: Jan 2002
Location: Denmark
Posts: 1,302
|
Shouldn't we be testing the MX/SMTP/POP/IMAP servers instead of the web servers (e.g., fastmail.fm, runbox.com)?
|
9 Apr 2014, 04:53 PM | #4 |
The "e" in e-mail
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,908
|
EUMX - FAIL, ssllabs test says "This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental) " -- Please update this thread if someone finds out they've patched their server!
https://www.ssllabs.com/ssltest/anal...d=ssl.eumx.net |
9 Apr 2014, 05:01 PM | #5 | |
The "e" in e-mail
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,908
|
Quote:
OK, not vulnerable to the Heartbleed attack. (Experimental) but overall a F because:
Last edited by Berenburger : 9 Apr 2014 at 05:07 PM. Reason: added tuffmail.com |
|
9 Apr 2014, 06:30 PM | #6 | |
Essential Contributor
Join Date: Jan 2005
Posts: 413
Representative of:
eumx.net |
Eumx.net is patched and get's A on ssllabs test.
Quote:
|
|
9 Apr 2014, 08:56 PM | #7 |
Essential Contributor
Join Date: May 2012
Posts: 459
|
Rackspace Apps (email hosting plan) passes https://www.ssllabs.com/ssltest/anal...&s=69.20.91.24
Polarismail when testing their Enhanced webmail login https://www.ssllabs.com/ssltest/anal...emailarray.com does not pass. |
9 Apr 2014, 11:22 PM | #8 |
Essential Contributor
Join Date: Jun 2010
Location: The Netherlands
Posts: 388
|
mail.ru,Yandex and rambler all NOT vulnerable:-)
Nice!! source:https://github.com/musalbas/heartble...er/top1000.txt Dutchie |
10 Apr 2014, 12:25 AM | #9 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,930
|
Heartbleed affects many (but not all) devices and services
Quote:
This is a very bad bug which could affect all networked secure communication. Think of it as malware installed in the operating system and BIOS of some devices - but we don't know which ones, since there are so many such devices we use. See more comments here: http://security.stackexchange.com/a/55121 So yes, both website and SMTP/IMAP/POP servers should be checked. Depending on the email service, the domains (and so the security certificates) may be different for web and SMTP/IMAP/POP connections. For example, Fastmail uses FastMail.fm for their website but messagingengine.com for email clients and email MTA to MTA connections. Unfortunately (due to load sharing and other considerations) you can't be assured that all servers are patched by just running an external test a few times. Some email servers do not encrypt MTA to MTA SMTP connections between email systems. So that connection is not subject to this bug, although any email communications could be monitored by others with access to that physical interface link. The link given earlier to the Qualys SSL Labs tool only tests https secure website servers, so it can't tell you if an email server is susceptible to the Heartbleed bug, only webmail connections. The following tool seems to also test SMTP/IMAP/POP servers: http://filippo.io/Heartbleed/ Bill |
|
10 Apr 2014, 12:30 AM | #10 |
Cornerstone of the Community
Join Date: Jul 2011
Posts: 713
|
Thank you for the info -- very helpful! This is apparently a very far-reaching bug indeed!
Of the ones I initially tested, if we take the word of the system admins (and I see no reason not to in this case), Luxsci, FastMail and Runbox have all stated publicly that they have patched their servers. That also adds to the confidence level. If some other providers have announced that they have patched, please update this thread. |
10 Apr 2014, 02:35 AM | #11 |
Essential Contributor
Join Date: Jan 2005
Posts: 413
Representative of:
eumx.net |
Issue is fixed, certificates are replaced as well. Please change your passwords.
Note: Only web services where affected at Eumx.net, but since private keys may leaked we were replaced our keys and certs on all servers. We had a log research back from 1st January and if we assume authenticated users are not hackers. It's quite unlikely we were attacked, but if someone had our private keys he/she were able to read live traffic from our servers like when you are using simple http protocol. Memory of our front-end web servers doesn't contain user data, password nor emails. So to be able to sniff user data, passwords etc attacker should be able to record our traffic (ISP, transit providers and some 3 letter orgs... but not a talented guy from home) Last edited by fabule : 10 Apr 2014 at 06:41 PM. |
10 Apr 2014, 03:24 AM | #12 |
Senior Member
Join Date: Apr 2003
Posts: 180
Representative of:
VFEmail.net |
The filippo site wasn't very good when I tried using it. Here's a good link for testing all ports.
http://possible.lv/tools/hb/ VFEmail was patched 4/8. |
10 Apr 2014, 04:30 AM | #13 |
Cornerstone of the Community
Join Date: Jan 2008
Posts: 704
Representative of:
PolarisMail.com |
All of our servers are configured against an older version of openssl which was not vulnerable.
This includes the basic webmail but not the Enhanced Webmail platform which was recently updated in order to provide the latest communication protocols. This was also true for the www.polarismail.com website. This bug did not affect our control panel, IMAP, SMTP or POP3 servers in any way. We are in the process of replacing the certificates as well. Edit: to clarify. Even if the bug was known to some for the past few years, all of our software is compiled against an older version of openssl which was never vulnerable. We updated the Enhanced e-mail platform recently in order to support TLS for web communication and it turned out to be the vulnerable version. This means that only communication for the past 2-3 months might have been compromised and only for the Enhanced users. The Enhanced platform contains no details about user accounts except what it receives and passes on to our back-end IMAP servers. Enhanced users are thus recommended to change their passwords just to be safe. Last edited by George_B : 10 Apr 2014 at 06:09 AM. |
10 Apr 2014, 06:24 AM | #14 |
The "e" in e-mail
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,908
|
|
10 Apr 2014, 11:17 AM | #15 |
Junior Member
Join Date: Nov 2007
Posts: 26
|
Pobox not vulnerable
but working pretty slowly, at least for me. Possibly due to problems propagating the certificate info; I can't reach it reliably. No trouble with fastmail for me.
|