MDaemon Support Bulletin – MD061915

Alt-N has released MDaemon 15.0.3, 14.5.4, 14.0.4, 13.5.4, as well as patches for MDaemon 12.5, 12.0, 11.0 to correct a critical security vulnerability. I would highly recommend installing the latest bits as soon as is possible. While I don’t know all the details, be aware that the content filter processes all messages, therefore the vulnerability can likely be remotely exploited.

Read MDaemon Security Bulletin – MD061915 for more details, then get your server patched!

rbl.orbitrbl.com – Dead

If you’re currently using rbl.orbitrbl.com for spam blocking or filtering, you should probably remove it from your configuration immediately.

Luckily this DNSBL was not widely used, and is not part of a default MDaemon configuration, so most MDaemon administrators will not need to take any action. If you do have MDaemon configured to use it, you’re currently seeing either timeouts or errors, and shortly you will find a majority of inbound mail will be flagged as spam.

Mark Jeftovic of EasyDNS recently posted the following to the mailop mailing list.

As some of you may know, we recently took over ZoneEdit.com and it’s customer base.

We’ve found a domain on the system: rbl.orbitrbl.com which is delegated to zoneedit nameservers, broken (it is not allowed to zone transfer from it’s designated master), unresponsive (account owner is not answering email, has an address in Sri Lanka and no telephone number), is using excessive queries (~ >500M queries per day on a “free dns” domain) and attracting repeated, multiple DDoS attacks.

As such, we will be wildcarding this zone and setting a long TTL fairly soon.

If you’re actually using this RBL in your MTAs, now’s a good time to stop. (this RBL is broken on 5 out of it’s 6 delegated nameservers across 3 separate providers).

I’d like to thank Mark for giving everyone advanced warning.

MDaemon security vulnerability (MD051314)

The announcement from Alt-N is as follows:

MDaemon 14.0.1 fixes a critical security vulnerability in WorldClient. Versions going back to 13.0.0 are affected, so we’ve also released updates for them (13.6.3, 13.5.3, and 13.0.6).

More information and download links can be found here:
http://www.altn.com/Support/SecurityUpdate/MD051314_MDaemon_EN/

If you’re running MDaemon 13 or MDaemon 14 of any flavour, update to 14.0.1 if you’re upgrade protection permits, or if not, upgrade to 13.6.3, 13.5.3, 13.0.6 as soon as possible.