RSS Feed
News
Apr
9
Heartbleed bug
Posted by Paul Smith on 09 April 2014 01:24 PM

As you may have seen in the news, a vulnerability in recent versions of OpenSSL has been found.

Current versions of VPOP3 are released with OpenSSL 1.0.1e which does have this vulnerability. The next version of VPOP3 will be released with OpenSSL 1.0.1g which has been patched.

Older versions of VPOP3 (v6.2 and earlier) used OpenSSL 0.9.8g which does not have this vulnerability.

You can easily tell which version of OpenSSL your VPOP3 installation has:

  • find the VPOP3 installation directory in Windows Explorer
  • find the ‘libeay32.dll’ file
  • right-click it and choose Properties
  • go to the ‘Details’ tab
  • Look at the ‘Product Version’ entry

If your VPOP3 has OpenSSL 1.0.1e then you should upgrade it to 1.0.1g. You can download the Win32 OpenSSL installer and copy the SSLEAY32.DLL and LIBEAY32.DLL files into the VPOP3 directory, or download the files from here and unzip the download into the VPOP3 directory (you will need to stop VPOP3 first).


Read more »



Feb
18
VPOP3 64 bit version – progress
Posted by Paul Smith on 18 February 2014 11:11 AM

For a few years we have wanted to make a 64 bit version of VPOP3. This should have immediate performance benefits when there are large numbers of users, and will allow us to add more performance improvements later, such as caching IMAP4 mailbox folder contents etc.

For the past year or so we have been working on this. So far, we have found very few problems in VPOP3 itself. Most of the problems have been due to third party libraries we use, or have used. This has meant we have had to remove some functionality from VPOP3, because we do not have access to 64 bit versions of the libraries, or we have had to change the libraries we use.

So, we have removed:

  • Ability to import data from very old versions of VPOP3. You will not be able to upgrade directly from 32 bit VPOP3 v1-v4 straight to 64 bit VPOP3, without losing some data (this won’t be current message data, users etc, but it may include address book information, archives etc). The recommended upgrade path will be from to the latest 32 bit VPOP3 to let that migrate the data from the old databases, then to the 64 bit VPOP3. This is because we used to use very old versions of the CODEBASE and SQLITE libraries for which we do not have 64 bit versions. For instance, VPOP3 v2 used SQLite 2.8. We did not bother upgrading to SQLite 3.x because we started using PostgreSQL instead, but we still included SQLite 2.8 in VPOP3 to allow upgrading of old data. We have not been able to successfully compile a 64 bit version of SQLite 2.8, and it is no longer officially supported.
  • Native FaxServer support. The effort and cost to get an updated 64 bit fax engine would be prohibitive, especially given that very few people are asking for this functionality nowadays. The PAYG fax solution will still work.
  • Spellchecking in Webmail. We use the Sentry Spellchecking Engine for Windows, but currently this is only available for 32 bit Windows. Hopefully WinterTree software will release a 64 bit version soon, or we will look around for a 64 bit capable alternative

We have had to change:

  • Graphics library. We have been using LeadTools graphics engine in VPOP3 for some time now to do basic image manipulation. The redistribution licence we have is not for a 64 version. We evaluated the options, including upgrading to a 64 bit licence of LeadTools, but decided to go for FreeImage which has a suitable, liberal, open-source licence, and will do what we need (essentially, basic format conversion and rescaling). LeadTools was an option, but was expensive and now requires run-time licences (which would increase the cost of VPOP3) and did far more than we needed.
  • All the way up to v6.6 there are a few bits which still use SQLite 2.x as the back-end database. These are rarely used features, so we haven’t had pressure to move them to PostgreSQL. However, since we cannot use SQLite 2.x in a 64 bit environment, these need moving to PostgreSQL before we can officially release a 64 bit version of VPOP3.

 

So, the current state is that we have done a lot of work, but it is not quite finished yet. I would anticipate that it is ready before the end of 2014 (hopefully, well before), unless a major problem arises.

 


Read more »