On 8.4.2014, at 20.00, John Rowe J.M.Rowe@exeter.ac.uk wrote:
Do we know if dovecot is vulnerable to the heartbleed SSL problem?
It may be possible that the attacker was able to get the SSL private key(s), although this depends on the OS and its memory allocation patterns. If you use only a single SSL cert I think it might be possible that it doesn't leak with Dovecot, but it's definitely not a good idea to trust that. I haven't anyway looked closely enough into this to verify, I'm just guessing based on the information in http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
By default Dovecot's login processes run in the "high security mode" where each IMAP/POP3 connection runs in its own process. This was done especially to avoid security bugs in OpenSSL from leaking users' passwords. So unless you have switched to the "high performance mode", users' passwords or other sensitive data couldn't have been leaked. http://wiki2.dovecot.org/LoginProcess
Would be nice if it was possible to hide the SSL private keys to separate processes as well, but that would probably require changes to OpenSSL itself.
(BTW. I've been too busy recently to even have time to read any mails in Dovecot list. I'll try to go through at least most of it before making the next Dovecot release. And hopefully by summer I've more time again.)