Horde webmail plesk 10.2

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
DarkF@der
Forum Regular
Forum Regular
Posts: 313
Joined: Thu May 07, 2009 12:46 pm

Horde webmail plesk 10.2

Unread post by DarkF@der »

Hello,

yesterday something happend with ou horde webmail.
Users that try to login gets a error they can't login any more!

it prints this error:

Code: Select all

Error connecting to IMAP server: [].
Someone knows how to fix that?
Or what's going on?


Thnx in advanced
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Horde webmail plesk 10.2

Unread post by BruceLee »

yes, I encounter that too.
you can fix it by allow fsockopen via ASL Configuration in php.ini.
Somehow the upgrade to ASL3.0 changed the config and/or the way it gets handled.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Horde webmail plesk 10.2

Unread post by BruceLee »

Ok, found out that in ASL 2.2 was no fsockopen En-Disabling feature.
That explains it.
Could this be integrated in the horde-webmail-php-check-feature that was introduced in ASL 2.2?!
DarkF@der
Forum Regular
Forum Regular
Posts: 313
Joined: Thu May 07, 2009 12:46 pm

Re: Horde webmail plesk 10.2

Unread post by DarkF@der »

But then we have a High Risk: PHP Function fsockopen() allows an attacker to open sockets, useful for spamming, remote inclusion, etc

so how to fix that?
inquis
Forum Regular
Forum Regular
Posts: 104
Joined: Fri May 06, 2011 8:16 pm
Location: UK

Re: Horde webmail plesk 10.2

Unread post by inquis »

I have the same problem as well

I am liking the new system but this upgrade did not go as smoothly as i would have like for about 4 hours I thought I lost all my clients domains and emails through the asl 3.0 not going right.

After reinstall I now have a problem getting into the system ;0(

Is it me or have i developed a load more critical notifications about vulnerability problems and when I try to click them it launches a page with no info on the wiki sheet.

Not sure what to make of this but I will surely give it a couple of revisons to see if any fixes etc get rolled out - which I presume is standard procedure as per normal.

But I dont want to be negative - the update looks bad and i am sure once i figure it out it will assume the role of the 2 IT gurus i have always wanted working for me ;0)
Last edited by inquis on Wed Jul 20, 2011 3:44 pm, edited 1 time in total.
spaceout
Forum Regular
Forum Regular
Posts: 112
Joined: Wed Mar 19, 2008 10:22 pm

Re: Horde webmail plesk 10.2

Unread post by spaceout »

This doesn't appear to only be a problem with Plesk 10.2. I was also seeing the same problem with the latest Plesk 9.5.4 and ASL 3.0.

Enabling fsockopen did solve the problem for me as well.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Horde webmail plesk 10.2

Unread post by mikeshinn »

But then we have a High Risk: PHP Function fsockopen() allows an attacker to open sockets, useful for spamming, remote inclusion, etc

so how to fix that?
So heres a few options:

1) disable the function
2) enable the function only for specific domains, heres an example from Faris:

https://www.atomicorp.com/forums/viewto ... ain#p23038

3) Setup output firewall rules to control what outbound services you allow. For example, you could block all port 25 and 465 outbound, except from qmail. Block port 80 access, except from specific processes or users, etc.

4) Put users in the SOCKET_SERVER group. This restricts them to only acting as servers (so they cant connect out to other servers), they can only listen and serve up content, like web content, FTP, etc. But not to connect out.
DarkF@der
Forum Regular
Forum Regular
Posts: 313
Joined: Thu May 07, 2009 12:46 pm

Re: Horde webmail plesk 10.2

Unread post by DarkF@der »

step 1) can't do that because horde doesn't work anymore

step 2) if i have to enable the function only for specific domains that will be alot off work for a hosting company with every day new accounts and alot off users like to use webmail.

step 3) Do you have a example off that i use apf firewall....?

step 4) i don't understand this part...


On asl 2.2 this allready was a securty issue?
So it doesn't matter if it's disabled because it was always been open on asl 2.2?


Thanx in advanced
inquis
Forum Regular
Forum Regular
Posts: 104
Joined: Fri May 06, 2011 8:16 pm
Location: UK

Re: Horde webmail plesk 10.2

Unread post by inquis »

i would be interested in step 3 and step 4 as well - both sound like quite tightly scoped methods if i understand what you wrote correctly.

Anyway I got into the control panel by disabling SSO and after logging in, all is well.

OT: Does anybody know the command code for resetting a plesk power panel password ?

@ The atomic dev - when this tightly tunes I can see it being awesome. So many more angles to protect the system.

I know it seems silly but would there be any chance of creating presets like maximum stealth, loose, medium and stuff like that ?

Sorry im rambling - Ill keep subscribed to this thread for sure.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Horde webmail plesk 10.2

Unread post by scott »

Yeah actually that was where we were heading with the SERVER_TYPE classification, using that to come up with different default policies. At the moment its being used to track the operating environment (normal, cpanel, directadmin, custom, etc).
inquis
Forum Regular
Forum Regular
Posts: 104
Joined: Fri May 06, 2011 8:16 pm
Location: UK

Re: Horde webmail plesk 10.2

Unread post by inquis »

yes def heading in the right direction
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Horde webmail plesk 10.2

Unread post by mikeshinn »

On asl 2.2 this allready was a securty issue?
Its a security issue for everyone, if you are running ASL or not. 2.2 just didnt report it or fix it.
So it doesn't matter if it's disabled because it was always been open on asl 2.2?
The vulnerability scanners job is to give you the truth. If its reporting a vulnerability, its real. ASL has some methods to try to help you with this, but its up to you ultimately to decide if the risk is acceptable.
DarkF@der
Forum Regular
Forum Regular
Posts: 313
Joined: Thu May 07, 2009 12:46 pm

Re: Horde webmail plesk 10.2

Unread post by DarkF@der »

So the best way for me is step 3)

Do you have a example for that?

Thanx in advanced
DarkF@der
Forum Regular
Forum Regular
Posts: 313
Joined: Thu May 07, 2009 12:46 pm

Re: Horde webmail plesk 10.2

Unread post by DarkF@der »

So no one knows the best way how to secure this high risk because it's need to be open for horde.
BTW i use apf firewall..



Thanx in advanced
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Horde webmail plesk 10.2

Unread post by mikeshinn »

I cant speak for APF, and not sure if it could do, but you would want to create iptables rules that limit the output to just those userids that would normally do this. For example, to limit outbound SMTP to just qmail and postfix, you would add rules like there:

iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner qmail -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner postfix -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j LOG_SMTP_OUT
iptables -A LOG_SMTP_OUT -m limit --limit 1/second -j LOG --log-level info --log-prefix "Unauth-SMTP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A LOG_SMTP_OUT -j REJECT

The format of a rule that is limited to a user is:

iptables -I OUTPUT -p PROTOCOL --dport PORT -m owner --uid-owner USERNAME -j ACCEPT

Where PROTOCOL would probably almost always be "tcp", except maybe in the case of DNS when it would be "udp".

PORT is the outbound port, 25 for SMTP, 80 for HTTP, etc.

and USERNAME is the trusted non-malicious username, such as "qmail".

For other services, you would need to identify the user that would normally, and non-maliciously connect outbound and limit that port to that user.
Post Reply