Let’s Encrypt revoking some certificates – Check to see if you are impacted

Are you using Let’s Encrypt with MDaemon or SecurityGateway (or anywhere else)? If so, great! But due to a bug re-validating CAA records, Let’s Encrypt will be revoking a subset of otherwise valid certificates. This bug has existed since 2019-07 and therefore could apply to any certificate issued prior to the fix which was applied 2020-02-29.

So what should you do? Well, luckily there is a tool to check your certificate, so you should check to see if your certificate is being revoked and if so, issue a new certificate as quickly as possible.

Modern browsers don’t check certificate revocations immediately or on all requests, so just because your browser works does not mean there is no impact! If your certificate is revoked you may see an impact some time in the next week or so, or you might not see it at all while users of other operation system / browser / client combinations may have a different experience.

Port numbers

Assuming a default configuration, the following inbound ports are required (depending on which services you want to make publicly available). All ports are TCP, unless otherwise mentioned.

MDaemon
25, Inbound and Outbound – ESMTP
53, Outbound – DNS (note that return packets are required)
110, Inbound and Outbound – POP3 and MultiPOP
143, Inbound – IMAP4
366, Inbound and Outbound – ODMR (ATRN, alternate ESMTP port)
465, Inbound – SSL SMTP
587, Inbound – ESMTP MSA (Mail Submission Agent — Have your mail cilents deliver here rather then 25 to avoid ISP firewalls
993, Inbound – SSL IMAP4
995, Inbound and Outbound – SSL POP3
4069 UDP, Inbound and Outbound – Minger

Even if you intend on enforcing encrypted connections, the unencrypted ports should be left active as the STARTTLS command starts a connection unencrypted and later adds encryption.

WorldClient, SyncML, ActiveSync, WebDAV, and possibly more
3000, Inbound – HTTP
80, Inbound – HTTP
443, Inbound – HTTPS

If nothing else on your server listens on port 80 and 443, it is highly recommended to assign these ports to WorldClient. It is required for ActiveSync’s AutoDiscovery, and for some older ActiveSync clients to connect.

WebAdmin
1000, Inbound – WebAdmin’s webserver

BES
3101, Outbound – BES services

SpamAssassin
80, Outbound – SA-Update

SecurityPlus/Outbreak Protection
21, Outbound – FTP for virus definitions updates
80, Outbound – HTTP for virus definitions updates and Outbreak Protection

If you are using a software firewall, you should ensure that the following processes have unrestricted inbound and outbound access: MDaemon.exe, WorldClient.exe, WebAdmin.exe, MDSpamD.exe, AVUpdate.exe

Finally, note that various parts of MDaemon interact using sockets to localhost IP addresses, so if you use a software firewall, you should not block any traffic to/from 127.0.0.1. This includes SpamAssassin, WorldClient, BES and other features.

WebAdmin JavaScript errors + Page navigation broken

MDaemon 10.0.3 introduced a WebAdmin bug preventing the “next page” buttons in the userlist from working, as well as possible script errors and problems with the “Filter” button.

This issue will be fixed in the next patch, but in the mean time, a patch is available.

Download global.zip, unzip and copy the global.js file to the WebAdmin\Templates\Javascript directory.

Note that it may be necessary to clear the browser’s cache for the updated file to take effect.

UPDATE 2009-01-22: Updated URL.