On Wed, Apr 09, 2014 at 11:01:05PM +0000, Viktor Dukhovni wrote:
> > I'd like to 'hear' Wietse's and Victor's opinion on how could
> > this nasty bug affect a TLS service like submission?
>
> In pretty much the same way that it applies to web services.
Note that the leak can also take place from a vulnerable TLS client
to a malicious TLS server. Therefore, even if you're using Postfix
TLS only outbound, you still need to apply the fix.
SMTP TLS clients typically don't use TLS certs (I always recommend:
# empty
smtp_tls_cert_file =
but some clients need certs, and in any case various other sensitive data
can leak.
--
Viktor.
