Language
 
HomeKnowledge BaseMailNow! V5[INFO] LDAP Server Security Breach
Information
Article ID76
Created On10/10/2011
Modified10/11/2011
Share With Others
[INFO] LDAP Server Security Breach

Summary

We discovered that the 1.0.0 LDAP server has a serious security breach whereby the user's password might be visible to the LDAP users.

We highly advise existing customers of MailNow! 5 with this version of LDAP server to upgrade to the latest version.

You can download the latest version of LDAP server installer from the following link:  http://www.internetnow.com.my/download/MailNow5/prerequisites/ldapinstaller.msi

Affected MailNow:

All version of MailNow! 5 (5.x.x)



More Information 

  • How to check if you're using 1.0.0

In order to find out which version of LDAP server you are using currently please follow the following steps:

If you are using Windows 7, Windows 2008 server:

1-Please go to Control Panel.

2-Click on ‘Uninstall a program’.


3-Here you can see all programs and their related versions. Look for OpenLDAP and you will find out which version of LDAP server you are using. If you are using 1.0.0 version, upgrade immediately.

Note: If you cannot see the version information of the programs, right click on the page and open ‘’Group By’ from the menu and click on ‘’More…’’. Finally from the dialog and in the details section check Version and click OK.


 

  • If you are using Windows XP, Windows 2003:

1-Please go to Control Panel and double click on ‘‘Add or Remove Programs’’.

2-In the list of programs look for ‘‘OpenLDAP’’ and click on this program. Once you click you will see a link under OpenLDAP saying: ‘‘Click here for support information’’.


3-Click on this link and you can see which version of OpenLDAP you are using. If the version was 1.0.0, upgrade immediately.

 

Fix and Resolution

How to upgrade

In order to upgrade:

1- First you need to uninstall the current LDAP server (with version 1.0.0) by simply going to control panel, going to programs (the same way you checked the version) and uninstalling OpenLDAP exactly the way you uninstall other programs.

2- Download the latest LDAP server from here:  http://www.internetnow.com.my/download/MailNow5/prerequisites/ldapinstaller.msi

3- Install the new OpenLDAP server which you have downloaded already.

4- To verify your installation repeat the process of checking the version and the version should be more than 1.0.0 (such as 1.1.0). Also make sure the services is running by going to

Generating LDAP

In order to generate and publish LDAP, after you login as the admin please click on the ‘’System Settings’’ and choose ‘’LDAP Server’’.

By default we don’t publish the personal address book for each individual users because most users have large number of addresses in their address book and if MailNow! intends to publish all of them, it will take a long time.

So if you wish to publish your personal address book, ensure that you check this checkbox. There is also a button on the top toolbar called Regenerate which allows you to republish all the addresses, namely global address book, domain level address book and personal address books to LDAP server. Once again it is not recommended to publish the personal address book due to its size and number of addresses