Am 08.04.2014 21:38, schrieb lst_hoe02@kwsoft.de:
Zitat von Jakob Curdes jc@info-systems.de:
Am 08.04.2014 19:00, schrieb John Rowe:
Do we know if dovecot is vulnerable to the heartbleed SSL problem?
I'm running dovecot-2.0.9 and openssl-1.01, the latter being intrinsically vulnerable. An on-line tool says that my machine is not affected on port 993 but it would be nice to know for sure if we were vulnerable for a while. (Naturally I've blocked it anyway!).
Usually all programs are linked dynamically to the library, so the vulnerability depends on the library only. If you updated the library today and restarted the service (!!) then it is very likely that your mail installation is not vulnerable any more. Otherwise it is very likely to be vulnerable, regardless what tests say. JC
Be aware that your private key might already have leaked without any notice. So your best bet is to withdraw your certificates and renew all keys/certificates on the affected machines.
correct, that was my whole-day job from 10:00 AM to 16:00 PM for 10 certificates followed by openvpn-keys, better safe than sorry luckily some wildcard certs in the meantime instead a ton single ones