We are rebuilding the last stable release with the new
libraries now, so approximately 2 hours all going well.
In terms of fixing the bug in the beta build - I won't know till we
find it, but I would expect some time late today if I can get a sample
message that causes the problem and reproduce it locally, then I'm fairly
confident it won't be hard to find the cause. If the problem is
intermittent or related to messages other than the one that fails, then it might
take another day or two to find the cause. I'd lay odds we'll find
it before the day is out as a best guess.
From: surgemail-support [mailto:firstname.lastname@example.org]
Sent: Wednesday, April 09, 2014 5:06 PM
Subject: re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
Hmmm, I don't get the logic of 'turning off ssl2' to increase security,
so then a client that can only use ssl2 has to use plain text, which is
definitely not as secure as ssl2.... :-) But anyway, it's a bit accademic as
old clients that require ssl2 probably hardly exist anymore.
This setting will help with your score... (restart surgemail after
Once we have the new builds stable then an upgrade and some more setting
will get you a higher rating. I suggest you wait until next week if you don't
have an immediate problem.
When I run:
on my SurgeMail server it gets an F grade.
It is running on a Windows server box and only Surgemail uses port 443
SurgeMail Version 6.5a-1, Built Sep 9 2013 12:52:22, Platform Windows
In particular, the test notes that:
* This server is not vulnerable to the Heartbleed attack. (Yay!)
* This server supports SSL 2, which is obsolete and insecure. Grade set
to F. (Boo!)
* The server supports only older protocols, but not the current best TLS
1.2. Grade capped to B. (Boo!)
Is there any way to harden SurgeMail to raise these ratings? A
Surgemail.ini setting or two? Or does in need a new build?