Heartbleed FAQ - Rackspace Email & Apps
What is Heartbleed?
The Heartbleed bug is a serious vulnerability in OpenSSL encryption. The following website provides information about the bug:
Is Rackspace affected?
Any service or website that is connected to the Internet and uses SSL technologies is potentially vulnerable to the Heartbleed bug.
Did Rackspace fix the issue?
Yes. When we received the news that Heartbleed existed and a patch was made available, we immediately patched our services to remediate any potential vulnerability.
If services have been patched, then why should I change passwords?
While we have applied the patch earlier this week, your password could have been previously exposed and extorted as it passed through the Internet via the encrypted SSL tunnel. We have no confirmed reports of suspicious activity or hijacked passwords, but in the spirit of security we strongly urge users to proactively update their passwords, and not just their Rackspace passwords. We recommend that you change any online passwords you have and confirm with your other providers (hosting, banking, social media, and so on) that their SSL protocols have been patched.
Will Rackspace force a password change?
Because we have no confirmed compromise and do not assume that any occurred with the Heartbleed bug, we are simply notifying our customers and strongly urging them to change their passwords.
Can you setup a policy to force users to change passwords on next login?
Unfortunately, we cannot provide this service at this time. Users with DirectorySync, however, can enforce this policy in their ActiveDirectory environment.
Is there a way to mass change passwords?
You cannot mass change passwords via the Email & Apps Control Panel. Following are the current options for changing passwords for mailboxes:
- Administrators can change passwords on individual mailboxes via the Control Panel at cp.rackspace.com. UK and MyRack users access the MyRackspace Portal at my.rackspace.com and can acccess the Mail Control Panel.
- Rackspace Email users can change their own passwords via the webmail portal at apps.rackspace.com.
- Exchange email users can change their passwords at cp.rackspace.com/usercp.
- Customers who use our DirectorySync product can enforce password change policies via their ActiveDirectory environment.
How can I send an email message all of my users?
You can send an email to everyone in your domain.
I have changed passwords for my users and now they are reporting various password issues. What happened?
Use the following steps to troubleshoot the issues:
- Determine whether the mailbox is currently locked by looking in the Control Panel for that specific user mailbox.
- Determine what devices your users are using to connect to their HEX mailbox: PC at work, iMac at home, work-issued iPhone, personal iPad, and so on. If users' Exchange account is set up on any of these devices and they updated the password recently, they need to update all of their devices with that new password. Any one of these devices could be locking out the mailbox.
- Unlock the mailbox through the Control Panel. After the Control Panel shows that the mailbox is no longer locked, have your user log into Outlook Web App (apps.rackspace.com) to verify that the user is, in fact, using the correct password.
- Clear out remembered passwords. Particularly on Windows or Mac OSs, we see issues with the Credential Manager (Windows) or Keychain Access (Mac) remembering the “old” password.
- After remembered passwords are cleared out, have users open their email client again. Because they just cleared the Credential Manager or Keychain Access for this account, they should be prompted for the email address and password.
- Have users re-enter that information correctly. It is safe for them to let the browswer “remember” the password, which, in turn, will create a new entry in the Credential Manager or Keychain Access.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER