Jump to content

Community

surferboy

Request for a new subforum

Recommended Posts

Hey IPS folk (includes moderators):

Given that IPS has moved to embrace Mandrill in such a significant way, please consider adding a Mandrill subforum wherever you feel it would be most appropriate.

The forum could be used for all topics with regard to Mandrill issues and also discussions (like what the? why is my Mandrill rating me in the lower 20%?) Those in the know might answer with "it depends," or a "that's a good thing."

This request is all the more urgent following stoo2000's recent introduction of the Mandrill Bouncer application.

Thanks,

Brian

Share this post


Link to post
Share on other sites

At present, I would think that, along with any other 3rd party mail service, would fall under the wide umbrella of Server Management.

It's always a valid suggestion on forum restructure. Though, personally, I don't know if it's worth sub dividing that forum into smaller pieces, Mail service / caching / nginx / apache, or just leaving it as one larger umbrella that's searchable.

Share this post


Link to post
Share on other sites

I don't have huge concerns about my Mandrill rating. I was just throwing out some possible discussion topics that people might start as IPS's strong embrace of Mandrill pushes more and more folks into the area of using Mandrill.

Share this post


Link to post
Share on other sites

Once again, I reiterate my call for a Mandrill subforum since it can have a number of questions and topics and because Mandrill is so embedded with the IPS product.

Yesterday or today, another community member started a topic about Heartbleed and IPS. It was shot down as having absolutely nothing to do with IPS.

But are you sure that Heartbleed has nothing to do with IPS? Because if a user only uses Mandrill on IPS, then this advisory from Mandrill DOES mean that we IPS users, need to take some action. Since this is a Mandrill-related topic, it really should be in it's own forum:

System Alert: OpenSSL Heartbleed Security Vulnerability

On Monday, the OpenSSL project released an update to address a serious security vulnerability nicknamed "Heartbleed". This vulnerability impacts the encryption used for internet communications and could allow access to decrypted HTTPS traffic. Like many service providers, once Mandrill became aware of Heartbleed, we moved to address, and evaluate the impact of, this vulnerability. We know that our users share our concern for security and privacy, so we want you to be aware of the specifics of Heartbleed vulnerability as it relates to Mandrill.

Impacted services

First and foremost, we have no evidence that the Heartbleed vulnerability was used to obtain any Mandrill data or to access Mandrill services.

Mandrill's relay and application servers were using affected versions of OpenSSL. Patches have been applied to all impacted servers, a process which was completed and confirmed by 14:00 UTC on April 8th. Although Mandrill utilizes Amazon EC2, we don't use the disk images provided by Amazon that were found to be affected. Nevertheless as a precaution, we've replaced our private key and SSL certificate since it's plausible that Mandrill's certificates could have been exposed.

What you should do

While there's no indication that Mandrill user data has been impacted, we strongly recommend that users update their Mandrill account passwords. Since API Keys are used for accessing your account via the API and SMTP, we also recommend deactivating old keys and replacing them with new keys.

Many of our users have sites or applications hosted which store their Mandrill credentials or other sensitive data. So, we also recommend auditing all services you may use to determine if they are also vulnerable, taking steps to repair any vulnerable services, and replacing SSL certificates once the vulnerability has been removed.

Wouldn't it be prudent to give Hearbleed a closer look, and also, rethink the idea of a subforum devoted exclusively to Mandrill so that this growing population of IPS Mandrill users can ask their questions and talk with others in the community about such a big IPS-endorsed non product area?

Brian

Share this post


Link to post
Share on other sites

Mandrill is right, change any sensitive data that has been sent via https.

This includes any SMTP connections that use TLS.

Those, however don't have anything to do with IP.Board. They are login details for third party services.

The root of the heart bleed issue is at the server level. If you think your SSL key was exposed, you get a new one.

This only affects data transmitted via SSL. IP.Board does not have any control over that. It is all handled at the server level.

As with any security exploit like this, common sense says change your passwords.

Share this post


Link to post
Share on other sites

Heartbleed is an issue that your server administrator needs to address, or your hosting provider, it's not a user level issue as has been stated. It isn't something that needs to be fixed at a software level. It's also worth noting that the media and big business are going to the extreme "worst case scenario" to cover their read ends on this exploit with their recommendations.

There is nothing wrong with going to the extreme when security is concerned, however when it comes to a community forum, there are likely many bigger targets people would have been after for the very few short hours this exploit was know about before it was patched.

It's also worth noting this did not effect all linux servers, only servers running openssl versions 1.x, (linux 6.x and up) there are many servers still running linux 5.x that are not effected as they are still using openssl version 0.x

The issue is real, and yes the exploit is a very big issue, however it did not effect everyone. It will likely be some time before the impact (if any) of this exploit may have had.

Share this post


Link to post
Share on other sites

I'm not certain we need to have an entire forum dedicated to Mandrill at this time. If you want to know "why Mandrill is rating you at 20%" I would recommend contacting Mandrill to ask, or searching their help documentation.

Wow! IPS should tailor there up doc stuff like this!

Share this post


Link to post
Share on other sites

Our software and services interact with dozens of other sites, and we are not going to create subforums for every single project that may be used with, involved with, linked to, or otherwise related in some fashion to our software. We don't have a subforum for Google on our site, yet SEO and Google Analytics are far bigger and more important topics to most of our clients. We won't have one for Mandrill specifically.

Mandrill notified you as a user of their services that you may need to change your login credentials. This has nothing to do with IPS.

You are already free to discuss Mandrill in our existing feedback and support forums. We don't need to have a forum dedicated to it. In fact, we have just begun taking steps to MERGE our feedback forums, not further segregate them. We don't find there is much value for the vast majority of our clients to have to pick a subforum to post feedback in - a general feedback subforum will work better for all, we feel, so we're not going to take two steps back and start introducing other subforums for other vendors.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...