Page 1 of 2

Atmail 1.05 for Plesk 9.x

Posted: Fri Apr 20, 2012 3:01 am
by onsightdata
I see that atmail open 1.05 came out in December of 2011 would it be possible to get this added to the atamic repo please. The latest i have is psa-atmail-1.04-3.el5.art.noarch

So appreciate all the work that Atomiccorp does!

Thannks,

*edit* I was going to add the link, http://atmail.org/download/atmailopen.tgz

Re: Atmail 1.05 for Plesk 9.x

Posted: Fri Apr 20, 2012 3:07 am
by onsightdata
One of the reasons i am requesting this is:

http://www.kb.cert.org/vuls/id/743555

Vulnerability Note VU#743555

@Mail Open webmail client contains multiple vulnerabilities

Original Release date: 22 Mar 2012 | Last revised: 28 Mar 2012

Overview

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).

Description

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following

Re: Atmail 1.05 for Plesk 9.x

Posted: Fri Apr 20, 2012 11:27 am
by scott
Thanks for the heads up! psa-atmail 1.05 should be going out to the mirrors now.

Re: Atmail 1.05 for Plesk 9.x

Posted: Fri Apr 20, 2012 7:13 pm
by onsightdata
After doing the update:

All domains get this screen and it wants all the information to be entered.


Atmail Pre-installation check
Thank you for choosing Atmail Open, this easy to use Web-installer will guide you through configuring the software. The installation progress is displayed with a progress bar at the top right of the page. Completed steps appear black and the current step blue. You can return to any completed step by clicking on its box in the progress bar.

Re: Atmail 1.05 for Plesk 9.x

Posted: Mon Apr 23, 2012 11:43 am
by onsightdata
I have no idea what the atmail database name is nor the user and pass to do the setup. I had to downgrade back to 1.04 as i don't have the information to do the setup for 1.05

Any help would be appreciated.

Re: Atmail 1.05 for Plesk 9.x

Posted: Wed Apr 25, 2012 1:43 pm
by diego
Same issue here, anyone has a update?

Re: Atmail 1.05 for Plesk 9.x

Posted: Fri Apr 27, 2012 3:06 pm
by onsightdata
Scott/Anyone

When doing the update to atmail 1.05 goes to a setup screen which were after agreeing to the terms of use takes you to a database setup screen. I am assuming there is already a atmail database that the previous versions used however i don't know how to find that out. Another option i was thinking that maybe there is a config file that i could just backup from the 1.04 install that contains the database settings and then just copy that into the 1.05 nstall and be done with it.

Image

Re: Atmail 1.05 for Plesk 9.x

Posted: Sat Apr 28, 2012 4:10 pm
by jas8522
Looks like the rpm doesn't properly set up the config file for Plesk. Here's what I did to fix it. All of these edits are to be done to the file: /var/www/atmail/libs/Atmail/Config.php

Put this at top of file after <?php and before $pref = array(

Code: Select all

// get password from /etc/psa/webmail/atmail/.atmail.shadow
// Newer Plesk uses /etc/psa-webmail/atmail/.atmail.shadow
if (file_exists("/etc/psa/webmail/atmail/.atmail.shadow")) {
  $password_file="/etc/psa/webmail/atmail/.atmail.shadow";
} elseif (file_exists("/etc/psa-webmail/atmail/.atmail.shadow")) {
  $password_file="/etc/psa-webmail/atmail/.atmail.shadow";
} else {
  echo "Error: Password file could not be found\n";
  exit;
}

if (!($fd = fopen($password_file, "r"))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
Then set the following settings:

Code: Select all

'sql_user' => 'atmail'
'sql_pass' => preg_replace("/\n/", "", $buff) [NO QUOTES]
'plesk' => 1
'installed' => 1
'domain' => ''
'smtphost' => 'localhost'
'install_dir' => '/var/www/atmail'
'user_dir' => '/var/www/atmail/users'
'popimap_debug_file' => '/var/log/atmail/popimap_debug.log'
'error_log' => '/var/log/atmail/atmail.log'
'atmail_root' => '/var/www'
'filter_trusted_networks' => ''
'ssl_certfile_pop3' => '/usr/local/psa/etc/httpsd.pem'
'ssl_certfile_imap' => '/usr/local/psa/etc/httpsd.pem'
If it doesn't work after this, and you get the error "Error: Password file could not be found" then you need to edit /etc/httpd/conf.d/zzz_atmail_vhost.conf AND /etc/psa-webmail/atmail/atmail_vhost.conf (so it regenerates properly when requested) and add /etc/psa-webmail/atmail to the open_basedir values (There are two). Remember they're separated by colons.

Re: Atmail 1.05 for Plesk 9.x

Posted: Sat Apr 28, 2012 11:04 pm
by mikeshinn
One of the reasons i am requesting this is:

http://www.kb.cert.org/vuls/id/743555

Vulnerability Note VU#743555
All systems with ASL installed, and anyone using our realtime or delayed rules were already immune to this entire class of vulnerabilities. You do not have to upgrade atmail.

If you are using ASL, or our realtime or even delayed rules you are completely immune to this vulnerability and already were. In fact, the rules have protected against this class of vulnerabilities since we first started putting out rules, which was many many years ago. So you do not need to install this upgrade.

Re: Atmail 1.05 for Plesk 9.x

Posted: Mon Apr 30, 2012 12:45 pm
by scott
Thanks for the follow up, looks like I had uncommented the patch against the config when it was building. -2 is going up into the repo now.

Re: Atmail 1.05 for Plesk 9.x

Posted: Mon Apr 30, 2012 6:55 pm
by diego
Scott i upgraded but now its asking for a passwd

Error: Password file could not be found

Re: Atmail 1.05 for Plesk 9.x

Posted: Mon Apr 30, 2012 10:23 pm
by jas8522
diego wrote:Scott i upgraded but now its asking for a passwd

Error: Password file could not be found
The very bottom of my post above should fix that.

Re: Atmail 1.05 for Plesk 9.x

Posted: Mon Apr 30, 2012 11:55 pm
by diego
jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.

Thank you.

Re: Atmail 1.05 for Plesk 9.x

Posted: Tue May 01, 2012 11:34 am
by jas8522
diego wrote:jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.

Thank you.
Sure! Best way to proceed:

Edit: /etc/psa-webmail/atmail/atmail_vhost.conf and look for this line:

Code: Select all

php_admin_value open_basedir "@WEBMAIL_DOCROOT@:/var/log/atmail:/etc/psa:/tmp:/var/tmp:/etc/psa-webmail/atmail"
You will see it twice. Be sure to append the ":/etc/psa-webmail/atmail" like you see above. This will set it properly for the template, but it will *not* make it live. To do that, this should work:

Code: Select all

/usr/local/psa/admin/bin/websrvmng -a
Check to see if the template was pushed to your atmail configuration file by running this:

Code: Select all

cat /etc/httpd/conf.d/zzz_atmail_vhost.conf | grep open_basedir
If you see the ":/etc/psa-webmail/atmail" portion appended to the open_basedir line that this last command presents to you, then simply restart apache to apply it:

Code: Select all

/sbin/service httpd restart
If not, edit that file as well and manually insert it in the same way you did to the template file, then restart apache.

Re: Atmail 1.05 for Plesk 9.x

Posted: Wed May 02, 2012 10:43 pm
by onsightdata
That fix worked awesome.

Thanks Scott for updating 1.05 and thanks jas8522 for the fix for the password issue. The fix you posted worked perfect.