OpenSSL Security Advisory [25 March 2021]

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
Meister
Normal user
Normal user
Posts: 82
Joined: 2005-11-10 16:48

OpenSSL Security Advisory [25 March 2021]

Post by Meister » 2021-03-25 17:45

https://www.openssl.org/news/secadv/20210325.txt

What do you think? Should somebody build a new beta version? And may it be a non-beta? For users, who do not want tu use beta software?

User avatar
mattg
Moderator
Moderator
Posts: 21529
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: OpenSSL Security Advisory [25 March 2021]

Post by mattg » 2021-03-26 00:28

Certificate validation is hardly used in hMailserver, even when the 'validate certificates' switch is selected

It is only used for outgoing mail cover by SMTP routes, and POP3 external download
It is not used for ANY normal outgoing mail, or for any incoming SMTP connections

Additionally, that security advisory says in part
In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.
hMailserver would need to override deliberately the OpenSSL defaults

I'm not sure that this is a big issue for us
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 1506
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Security Advisory [25 March 2021]

Post by RvdH » 2021-03-26 10:17

@Meister

Next time you better open a github issue for security/vulnerability related questions
https://github.com/hmailserver/hmailserver/issues/352
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Meister
Normal user
Normal user
Posts: 82
Joined: 2005-11-10 16:48

Re: OpenSSL Security Advisory [25 March 2021]

Post by Meister » 2021-03-30 11:47

Oh, ok, sorry.

User avatar
RvdH
Senior user
Senior user
Posts: 1506
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Security Advisory [25 March 2021]

Post by RvdH » 2021-03-30 12:38

Meister wrote:
2021-03-30 11:47
Oh, ok, sorry.
Not a big issue....but martin (author) isn't a frequent visitor of the forums and when doing it thru github he gets a notification of github issue automatically

5.6.8 - Build 2538 (BETA) is updated with OpenSSL 1.1.1k
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

andreasRu
New user
New user
Posts: 5
Joined: 2021-03-30 12:34

Re: OpenSSL Security Advisory [25 March 2021]

Post by andreasRu » 2021-03-30 13:28

@RvdH

We are currently migrating to hmailserver and I've absolutely no experience in hmailservers build/release policy, so please excuse me in case this question is unfortunate. I'm posting my question here and to you, because primarily my issue is also related to the "OpenSSL Security Advisory" , and secondly you seem to be very experienced with hmailserver and this forum.

There have been plenty of new beta builds since latest stable version for production 5.6.7 - Build 2425 2017-12-14, being the latest beta the build that fixes the above mentioned security issue with the OpenSSL 1.1.1k upgrade (dated 2021-03-28). It's great to see that the author Martin gets very quickly active by updating the core, merging the build and deploying the builds as beta to the download archive.

Now my question: I know these latest builds are offically beta and NOT released for stable production. But what is your experience? What would you and other experienced htmailserver admins usually do in such cases envolving OpenSSL security fixes? Do they tend to install these latest beta over stable because of OpenSSL security implications? Are these beta builds too risky to use for production? Or would you tend to say: "no prob, I'd use it in production, watchout the debug logs carefully and downgrade if necessary"?

Thanks for any insights,

User avatar
RvdH
Senior user
Senior user
Posts: 1506
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Security Advisory [25 March 2021]

Post by RvdH » 2021-03-30 14:02

I have no idea why 5.6.7 - Build 2425 2017-12-14 is still listed as the actual version, this version differs from the latest 5.6.8 release as in this build SSL 3.0 is removed completely and TLS 1.2 is added

Many (most) of us use 5.6.8 without issues
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

andreasRu
New user
New user
Posts: 5
Joined: 2021-03-30 12:34

Re: OpenSSL Security Advisory [25 March 2021]

Post by andreasRu » 2021-03-30 14:39

Many (most) of us use 5.6.8 without issues
That was what I thought and that is what hmailserver commit history at github reflects. Going to upgrade to latest 5.6.8. build. Thank you!!! Really appreciate you taking your time for your help.

Meister
Normal user
Normal user
Posts: 82
Joined: 2005-11-10 16:48

Re: OpenSSL Security Advisory [25 March 2021]

Post by Meister » 2021-03-30 14:58

I have been using the latest beta from years without any issue.

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-06 16:58

So it is fixed for the "beta" but still not for 5.7 "development"?
Because of this I downgraded to 5.6.8 but it is only 32 bits and stuff..

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-06 17:51

Bob.Dig wrote:
2021-04-06 16:58
So it is fixed for the "beta" but still not for 5.7 "development"?
Because of this I downgraded to 5.6.8 but it is only 32 bits and stuff..
If you want a 5.6.8 release with the same features as 5.7 (only 32-bit) you need to use RvdH's version of 5.6.8-B2538.

viewtopic.php?p=228140#p228140
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-06 19:45

SorenR wrote:
2021-04-06 17:51
If you want a 5.6.8 release with the same features as 5.7 (
Actually I would have preferred to have 5.7 with the OpenSSL fix.
So we are back at "TeamCity" I guess. Is there a version of 5.7 with the fix?

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-06 20:35

Now I noticed that the old version was probably not running correctly with my export, although the built-in test had all green lights.
So I installed the newest from "TeamCity", hoping it has the fix and imported my export again, loosing one day.

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-06 22:17

Bob.Dig wrote:
2021-04-06 20:35
Now I noticed that the old version was probably not running correctly with my export, although the built-in test had all green lights.
So I installed the newest from "TeamCity", hoping it has the fix and imported my export again, loosing one day.
The B2555 is no different from B2538 execpt some changes in the systems test procedures that you don't get to see anyways so you could have stayed with the B2538 from the download page.
What I am referring to are all the enhancements to 5.7 like event "OnHELO" and some 22 other fixes that was moved from RvdH's version 5.6.8 to the official 5.7.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-06 22:24

SorenR wrote:
2021-04-06 22:17
so you could have stayed with the B2538 from the download page.
I was at 5.7 all the time, but it looks like there is no OpenSSL Fix for that. Because of that I downgraded to B2538, which is 5.6.8, to later find out that it was not compatible with my export and so on.

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-06 22:58

Bob.Dig wrote:
2021-04-06 22:24
SorenR wrote:
2021-04-06 22:17
so you could have stayed with the B2538 from the download page.
I was at 5.7 all the time, but it looks like there is no OpenSSL Fix for that. Because of that I downgraded to B2538, which is 5.6.8, to later find out that it was not compatible with my export and so on.
These are the (MySQL) database changes from 5601 to 5700.

Code: Select all

insert into hm_settings (settingname, settingstring, settinginteger) values ('ImapMasterUser', '', 0);
insert into hm_settings (settingname, settingstring, settinginteger) values ('ImapAuthAllowPlainText', '', 0);
insert into hm_settings (settingname, settingstring, settinginteger) values ('EnableImapSASLPlain', '', 0);
insert into hm_settings (settingname, settingstring, settinginteger) values ('EnableImapSASLInitialResponse', '', 0);
update hm_dbversion set value = 5700;
I would claim that the only showstopper is this:

Code: Select all

update hm_dbversion set value = 5700;
The other changes do not affect 5.6.8 in any way.

On a 5.6.8 system this is true:

Code: Select all

update hm_dbversion set value = 5601;
I don't have a spare 64-bit system to try a downgrade from 5.7 to 5.6.8 so I can't verify it can be done or not.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
jimimaseye
Moderator
Moderator
Posts: 9176
Joined: 2011-09-08 17:48

Re: OpenSSL Security Advisory [25 March 2021]

Post by jimimaseye » 2021-04-06 23:25

I remember installing 5.6.x over the top of experimental 5.7 (which we have already identified as creating the SASL related tables) and it was without problem.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 21529
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: OpenSSL Security Advisory [25 March 2021]

Post by mattg » 2021-04-07 00:39

Bob.Dig wrote:
2021-04-06 20:35
Now I noticed that the old version was probably not running correctly with my export, although the built-in test had all green lights.
So I installed the newest from "TeamCity", hoping it has the fix and imported my export again, loosing one day.
Yes, there is a new teamCity version for 5.7, build number #2556

My database version is 5700
(You can view this in the hmailserver admin GUI, under status)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-07 09:12

mattg wrote:
2021-04-07 00:39
Yes, there is a new teamCity version for 5.7, build number #2556
But does it have this fix? I can't see this by just reading the "changes" there.

@jimimaseye I really have no intend to run an older version then 5.7, but I did because I couldn't find the OpenSSL Fix for it. Anyhow, I backed up my complete config from 5.7, uninstalled it, installed 5.6.8, restored backup.
First looked fine, but later I noticed in my pfSense, that email from this forum couldn't reach me, because sending IP got blocked cause of being listed in dnsbl-3.uceprotect.net. What then normally happens, it would be sent to my backup mx, which is the instance I had downgraded, which has no pfsense in front and that would send me the mail with some time gap, because of grey-listing. But it didn't. This instance only has routes configured, no "Domains". So that is when I noticed, it is not running correctly.
But again, I don't want to run it, I want 5.7 with the latest OpenSSl Fix.

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-07 09:50

Bob.Dig wrote:
2021-04-07 09:12
mattg wrote:
2021-04-07 00:39
Yes, there is a new teamCity version for 5.7, build number #2556
But does it have this fix? I can't see this by just reading the "changes" there.

@jimimaseye I really have no intend to run an older version then 5.7, but I did because I couldn't find the OpenSSL Fix for it. Anyhow, I backed up my complete config from 5.7, uninstalled it, installed 5.6.8, restored backup.
First looked fine, but later I noticed in my pfSense, that email from this forum couldn't reach me, because sending IP got blocked cause of being listed in dnsbl-3.uceprotect.net. What then normally happens, it would be sent to my backup mx, which is the instance I had downgraded, which has no pfsense in front and that would send me the mail with some time gap, because of grey-listing. But it didn't. This instance only has routes configured, no "Domains". So that is when I noticed, it is not running correctly.
But again, I don't want to run it, I want 5.7 with the latest OpenSSl Fix.
If by "the fix" you mean OpenSSL 1.1.1k then all you need to do is go to .\hMailServer\bin and right-click on "libssl-1_1.dll", select "properties" and then "details" ... It will tell you product version and build date.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-07 10:02

SorenR wrote:
2021-04-07 09:50
... It will tell you product version and build date.
Thank you Soren, now I can sleep well! :wink:

User avatar
RvdH
Senior user
Senior user
Posts: 1506
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Security Advisory [25 March 2021]

Post by RvdH » 2021-04-07 10:19

Bob.Dig wrote:
2021-04-07 09:12
But again, I don't want to run it, I want 5.7 with the latest OpenSSl Fix.
Just don't come whining here if something does not work as expected, 5.7 is ALPHA and not offically ready to be used in production environments
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-07 11:20

RvdH wrote:
2021-04-07 10:19
Just don't come whining here
I run it all the time without problems, but I will whine here, if I find a bug/problem. And if no one comes back at me, I now know why.

Thanks guys!

User avatar
katip
Senior user
Senior user
Posts: 904
Joined: 2006-12-22 07:58
Location: Istanbul

Re: OpenSSL Security Advisory [25 March 2021]

Post by katip » 2021-04-10 20:07

after a few VM snapshots and returns...
how to fall back from x64 build to 32 bit recent beta (with MySQL/MariaDB):

run HMS backup in full (incl. messages)
uninstall HMS
copy 32 bit libmysql.dll to \bin
install HMS recent beta
run hMailserver Database Setup and create a new database
restore HMS backup in full
restart service

it seems this is the only path to follow.
backup/restore HMS config only and run DDS or restore from an SQL dump doesn't work.
to get back config and messages, HMS backup/restore must be in full incl. messages.
may be unpleasant for larger setups but appearantly there is no other way.
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.2, ClamAV 0.103.2

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-10 20:48

katip wrote:
2021-04-10 20:07
after a few VM snapshots and returns...
how to fall back from x64 build to 32 bit recent beta (with MySQL/MariaDB):

run HMS backup in full (incl. messages)
uninstall HMS
copy 32 bit libmysql.dll to \bin
install HMS recent beta
run hMailserver Database Setup and create a new database
restore HMS backup in full
restart service

it seems this is the only path to follow.
backup/restore HMS config only and run DDS or restore from an SQL dump doesn't work.
to get back config and messages, HMS backup/restore must be in full incl. messages.
may be unpleasant for larger setups but appearantly there is no other way.
What if you change hm_dbversion to 5601 and install 5.6.8 over the existing? With a 32-bit database driver...
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
katip
Senior user
Senior user
Posts: 904
Joined: 2006-12-22 07:58
Location: Istanbul

Re: OpenSSL Security Advisory [25 March 2021]

Post by katip » 2021-04-10 22:52

SorenR wrote:
2021-04-10 20:48
What if you change hm_dbversion to 5601 and install 5.6.8 over the existing? With a 32-bit database driver...
uninstall
change hm_dbversion to 5601
change libmysql.dll in \bin
clean 32bit install
it worked! :idea:
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.2, ClamAV 0.103.2

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-10 23:44

katip wrote:
2021-04-10 22:52
SorenR wrote:
2021-04-10 20:48
What if you change hm_dbversion to 5601 and install 5.6.8 over the existing? With a 32-bit database driver...
uninstall
change hm_dbversion to 5601
change libmysql.dll in \bin
clean 32bit install
it worked! :idea:
I guess it only works if hmailserver.ini is not deleted.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
katip
Senior user
Senior user
Posts: 904
Joined: 2006-12-22 07:58
Location: Istanbul

Re: OpenSSL Security Advisory [25 March 2021]

Post by katip » 2021-04-11 01:17

SorenR wrote:
2021-04-10 23:44
katip wrote:
2021-04-10 22:52
SorenR wrote:
2021-04-10 20:48
What if you change hm_dbversion to 5601 and install 5.6.8 over the existing? With a 32-bit database driver...
uninstall
change hm_dbversion to 5601
change libmysql.dll in \bin
clean 32bit install
it worked! :idea:
I guess it only works if hmailserver.ini is not deleted.
Yes of course, forgot to mention. Uninstall keeps it anyway.
Thanks for the tip about 5601 btw..
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.2, ClamAV 0.103.2

User avatar
SorenR
Senior user
Senior user
Posts: 4706
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Security Advisory [25 March 2021]

Post by SorenR » 2021-04-11 01:36

katip wrote:
2021-04-11 01:17
SorenR wrote:
2021-04-10 23:44
katip wrote:
2021-04-10 22:52

uninstall
change hm_dbversion to 5601
change libmysql.dll in \bin
clean 32bit install
it worked! :idea:
I guess it only works if hmailserver.ini is not deleted.
Yes of course, forgot to mention. Uninstall keeps it anyway.
Thanks for the tip about 5601 btw..
I have 3 ground rulez in life ... 1: Shortcut ... 2: Hack it ... 3: Hard work ... which ever is using the least calories :mrgreen:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
mattg
Moderator
Moderator
Posts: 21529
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: OpenSSL Security Advisory [25 March 2021]

Post by mattg » 2021-04-11 06:31

Bob.Dig wrote:
2021-04-07 09:12
mattg wrote:
2021-04-07 00:39
Yes, there is a new teamCity version for 5.7, build number #2556
But does it have this fix? I can't see this by just reading the "changes" there....

But again, I don't want to run it, I want 5.7 with the latest OpenSSl Fix.
Assuming that you want the latest version of OpenSSL

looking at the full build log on Teamcity, I can see that 5.7 is built on openSSL v1.1.1k, which matches the advisory notice
https://build.hmailserver.com/downloadB ... ildId=1234
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Bob.Dig
Normal user
Normal user
Posts: 58
Joined: 2020-06-29 09:18
Location: Berlin

Re: OpenSSL Security Advisory [25 March 2021]

Post by Bob.Dig » 2021-04-11 09:59

mattg wrote:
2021-04-11 06:31
looking at the full build log on Teamcity, I can see that 5.7 is built on openSSL v1.1.1k, which matches the advisory notice
https://build.hmailserver.com/downloadB ... ildId=1234
Interesting, another way to find out what is used, thank you.
RvdH wrote:
2021-04-07 10:19
Just don't come whining here if something does not work as expected,
Got you wrong first time. I will not come whining but just file a bug report.
Thank you for enriching this nice software.

Post Reply