Will McAfee release a statement as to whether IronMail (MEG) 6.7.2 is vulnerable to "Heartbleed" OpenSSL vulnerability?
(IronMail is EOL and unsupported as of 3/31/14.)
I am still waiting on mcafee to give some info regarding 7.5.x
I have done some initial testing of 6.7.2 HF4+ and they appear to NOT be vulnerable thus far. it looks like the openssl implementation is older, and thus doesnt present extension 15.
run the following from an external machine.
openssl s_client -connect smtp-server.domain.x:443 -tlsextdebug | grep 'heartbeat'
openssl s_client -connect secure-web-mail.domain.x:25 -starttls smtp -tlsextdebug | grep 'heartbeat'
doesnt show that openssl has extended extensions (meaning openssl is too old).
on version that support the extension (and thus needs additional checking to see if vulnerable) show as:
TLS server extension "heartbeat" (id=15), len=1
IronMail 6.7.2 HF7 still uses a much older version of openssl:
[ct_maint@im02 ~]$ openssl version
OpenSSL 0.9.8n 24 Mar 2010
Versions 1.0.0 and earlier do not have the vulnerability.
Out of the box, MEG 7.5 and 7.6 were vulnerable, but hotfixes have been released to address the issue. MEG-7.5h960401-2846.114.zip and MEG-7.6h960405-2810.114.zip respectively, both released April 11th.