Page 1 of 2

Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 4:25 am
by DarkF@der
Hello,

yesterday something happend with ou horde webmail.
Users that try to login gets a error they can't login any more!

it prints this error:

Code: Select all

Error connecting to IMAP server: [].
Someone knows how to fix that?
Or what's going on?


Thnx in advanced

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 6:30 am
by BruceLee
yes, I encounter that too.
you can fix it by allow fsockopen via ASL Configuration in php.ini.
Somehow the upgrade to ASL3.0 changed the config and/or the way it gets handled.

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 6:46 am
by BruceLee
Ok, found out that in ASL 2.2 was no fsockopen En-Disabling feature.
That explains it.
Could this be integrated in the horde-webmail-php-check-feature that was introduced in ASL 2.2?!

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 9:02 am
by DarkF@der
But then we have a High Risk: PHP Function fsockopen() allows an attacker to open sockets, useful for spamming, remote inclusion, etc

so how to fix that?

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 10:11 am
by inquis
I have the same problem as well

I am liking the new system but this upgrade did not go as smoothly as i would have like for about 4 hours I thought I lost all my clients domains and emails through the asl 3.0 not going right.

After reinstall I now have a problem getting into the system ;0(

Is it me or have i developed a load more critical notifications about vulnerability problems and when I try to click them it launches a page with no info on the wiki sheet.

Not sure what to make of this but I will surely give it a couple of revisons to see if any fixes etc get rolled out - which I presume is standard procedure as per normal.

But I dont want to be negative - the update looks bad and i am sure once i figure it out it will assume the role of the 2 IT gurus i have always wanted working for me ;0)

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 1:41 pm
by spaceout
This doesn't appear to only be a problem with Plesk 10.2. I was also seeing the same problem with the latest Plesk 9.5.4 and ASL 3.0.

Enabling fsockopen did solve the problem for me as well.

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 3:14 pm
by mikeshinn
But then we have a High Risk: PHP Function fsockopen() allows an attacker to open sockets, useful for spamming, remote inclusion, etc

so how to fix that?
So heres a few options:

1) disable the function
2) enable the function only for specific domains, heres an example from Faris:

https://www.atomicorp.com/forums/viewto ... ain#p23038

3) Setup output firewall rules to control what outbound services you allow. For example, you could block all port 25 and 465 outbound, except from qmail. Block port 80 access, except from specific processes or users, etc.

4) Put users in the SOCKET_SERVER group. This restricts them to only acting as servers (so they cant connect out to other servers), they can only listen and serve up content, like web content, FTP, etc. But not to connect out.

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 3:43 pm
by DarkF@der
step 1) can't do that because horde doesn't work anymore

step 2) if i have to enable the function only for specific domains that will be alot off work for a hosting company with every day new accounts and alot off users like to use webmail.

step 3) Do you have a example off that i use apf firewall....?

step 4) i don't understand this part...


On asl 2.2 this allready was a securty issue?
So it doesn't matter if it's disabled because it was always been open on asl 2.2?


Thanx in advanced

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 4:03 pm
by inquis
i would be interested in step 3 and step 4 as well - both sound like quite tightly scoped methods if i understand what you wrote correctly.

Anyway I got into the control panel by disabling SSO and after logging in, all is well.

OT: Does anybody know the command code for resetting a plesk power panel password ?

@ The atomic dev - when this tightly tunes I can see it being awesome. So many more angles to protect the system.

I know it seems silly but would there be any chance of creating presets like maximum stealth, loose, medium and stuff like that ?

Sorry im rambling - Ill keep subscribed to this thread for sure.

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 4:27 pm
by scott
Yeah actually that was where we were heading with the SERVER_TYPE classification, using that to come up with different default policies. At the moment its being used to track the operating environment (normal, cpanel, directadmin, custom, etc).

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 4:29 pm
by inquis
yes def heading in the right direction

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 4:46 pm
by mikeshinn
On asl 2.2 this allready was a securty issue?
Its a security issue for everyone, if you are running ASL or not. 2.2 just didnt report it or fix it.
So it doesn't matter if it's disabled because it was always been open on asl 2.2?
The vulnerability scanners job is to give you the truth. If its reporting a vulnerability, its real. ASL has some methods to try to help you with this, but its up to you ultimately to decide if the risk is acceptable.

Re: Horde webmail plesk 10.2

Posted: Wed Jul 20, 2011 4:56 pm
by DarkF@der
So the best way for me is step 3)

Do you have a example for that?

Thanx in advanced

Re: Horde webmail plesk 10.2

Posted: Mon Jul 25, 2011 8:20 am
by DarkF@der
So no one knows the best way how to secure this high risk because it's need to be open for horde.
BTW i use apf firewall..



Thanx in advanced

Re: Horde webmail plesk 10.2

Posted: Mon Jul 25, 2011 1:50 pm
by mikeshinn
I cant speak for APF, and not sure if it could do, but you would want to create iptables rules that limit the output to just those userids that would normally do this. For example, to limit outbound SMTP to just qmail and postfix, you would add rules like there:

iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner qmail -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner postfix -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j LOG_SMTP_OUT
iptables -A LOG_SMTP_OUT -m limit --limit 1/second -j LOG --log-level info --log-prefix "Unauth-SMTP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A LOG_SMTP_OUT -j REJECT

The format of a rule that is limited to a user is:

iptables -I OUTPUT -p PROTOCOL --dport PORT -m owner --uid-owner USERNAME -j ACCEPT

Where PROTOCOL would probably almost always be "tcp", except maybe in the case of DNS when it would be "udp".

PORT is the outbound port, 25 for SMTP, 80 for HTTP, etc.

and USERNAME is the trusted non-malicious username, such as "qmail".

For other services, you would need to identify the user that would normally, and non-maliciously connect outbound and limit that port to that user.