Let’s Encrypt revoking some certificates – Check to see if you are impacted

Are you using Let’s Encrypt with MDaemon or SecurityGateway (or anywhere else)? If so, great! But due to a bug re-validating CAA records, Let’s Encrypt will be revoking a subset of otherwise valid certificates. This bug has existed since 2019-07 and therefore could apply to any certificate issued prior to the fix which was applied 2020-02-29.

So what should you do? Well, luckily there is a tool to check your certificate, so you should check to see if your certificate is being revoked and if so, issue a new certificate as quickly as possible.

Modern browsers don’t check certificate revocations immediately or on all requests, so just because your browser works does not mean there is no impact! If your certificate is revoked you may see an impact some time in the next week or so, or you might not see it at all while users of other operation system / browser / client combinations may have a different experience.

Port numbers

Assuming a default configuration, the following inbound ports are required (depending on which services you want to make publicly available). All ports are TCP, unless otherwise mentioned.

MDaemon
25, Inbound and Outbound – ESMTP
53, Outbound – DNS (note that return packets are required)
110, Inbound and Outbound – POP3 and MultiPOP
143, Inbound – IMAP4
366, Inbound and Outbound – ODMR (ATRN, alternate ESMTP port)
465, Inbound – SSL SMTP
587, Inbound – ESMTP MSA (Mail Submission Agent — Have your mail cilents deliver here rather then 25 to avoid ISP firewalls
993, Inbound – SSL IMAP4
995, Inbound and Outbound – SSL POP3
4069 UDP, Inbound and Outbound – Minger

Even if you intend on enforcing encrypted connections, the unencrypted ports should be left active as the STARTTLS command starts a connection unencrypted and later adds encryption.

WorldClient, SyncML, ActiveSync, WebDAV, and possibly more
3000, Inbound – HTTP
80, Inbound – HTTP
443, Inbound – HTTPS

If nothing else on your server listens on port 80 and 443, it is highly recommended to assign these ports to WorldClient. It is required for ActiveSync’s AutoDiscovery, and for some older ActiveSync clients to connect.

WebAdmin
1000, Inbound – WebAdmin’s webserver

BES
3101, Outbound – BES services

SpamAssassin
80, Outbound – SA-Update

SecurityPlus/Outbreak Protection
21, Outbound – FTP for virus definitions updates
80, Outbound – HTTP for virus definitions updates and Outbreak Protection

If you are using a software firewall, you should ensure that the following processes have unrestricted inbound and outbound access: MDaemon.exe, WorldClient.exe, WebAdmin.exe, MDSpamD.exe, AVUpdate.exe

Finally, note that various parts of MDaemon interact using sockets to localhost IP addresses, so if you use a software firewall, you should not block any traffic to/from 127.0.0.1. This includes SpamAssassin, WorldClient, BES and other features.

Gmail difficulties pulling mail from MDaemon

If you have a mixed MDaemon+Gmail environment where Gmail retrieves mail from MDaemon via POP3 (a reverse Multi-POP), at some point in the past 24 hours you may have noticed Gmail stopped accessing mail.

It appears that Gmail has changed how their Always use a secure connection (SSL) when retrieving mail feature works, and they now require a certificate signed by an authority that they trust, they no longer accept self-signed certificates.

This is a good and bad, self-signed certificates offer little or no security against man-in-the-middle attacks, and so can lead to a false sense of security, however, it’s annoying that this breaks your working configuration.

Between this and the recent announcement that Gmail will be dropping ActiveSync support for new accounts, it might be a good time to consolidate all of your users on a locally hosted and managed MDaemon server rather than relying on the moving support target of cloud hosting.

If you don’t already have a valid certificate, I previously wrote an article on where you can get Cheap SSL Certificates (I have no affiliation, and I receive no compensation for this referral. I also have not verified that their certificates pass Gmail’s tests at this time or in the future).