store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Sep 24, 2017 1:33 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Atmail 1.05 for Plesk 9.x
Unread postPosted: Fri Apr 20, 2012 3:01 am 
Offline
Forum User
Forum User

Joined: Sun Sep 12, 2010 4:15 am
Posts: 8
I see that atmail open 1.05 came out in December of 2011 would it be possible to get this added to the atamic repo please. The latest i have is psa-atmail-1.04-3.el5.art.noarch

So appreciate all the work that Atomiccorp does!

Thannks,

*edit* I was going to add the link, http://atmail.org/download/atmailopen.tgz


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Fri Apr 20, 2012 3:07 am 
Offline
Forum User
Forum User

Joined: Sun Sep 12, 2010 4:15 am
Posts: 8
One of the reasons i am requesting this is:

http://www.kb.cert.org/vuls/id/743555

Vulnerability Note VU#743555

@Mail Open webmail client contains multiple vulnerabilities

Original Release date: 22 Mar 2012 | Last revised: 28 Mar 2012

Overview

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).

Description

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Fri Apr 20, 2012 11:27 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8313
Location: earth
Thanks for the heads up! psa-atmail 1.05 should be going out to the mirrors now.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Fri Apr 20, 2012 7:13 pm 
Offline
Forum User
Forum User

Joined: Sun Sep 12, 2010 4:15 am
Posts: 8
After doing the update:

All domains get this screen and it wants all the information to be entered.


Atmail Pre-installation check
Thank you for choosing Atmail Open, this easy to use Web-installer will guide you through configuring the software. The installation progress is displayed with a progress bar at the top right of the page. Completed steps appear black and the current step blue. You can return to any completed step by clicking on its box in the progress bar.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Mon Apr 23, 2012 11:43 am 
Offline
Forum User
Forum User

Joined: Sun Sep 12, 2010 4:15 am
Posts: 8
I have no idea what the atmail database name is nor the user and pass to do the setup. I had to downgrade back to 1.04 as i don't have the information to do the setup for 1.05

Any help would be appreciated.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Wed Apr 25, 2012 1:43 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 05, 2008 5:01 pm
Posts: 111
Same issue here, anyone has a update?


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Fri Apr 27, 2012 3:06 pm 
Offline
Forum User
Forum User

Joined: Sun Sep 12, 2010 4:15 am
Posts: 8
Scott/Anyone

When doing the update to atmail 1.05 goes to a setup screen which were after agreeing to the terms of use takes you to a database setup screen. I am assuming there is already a atmail database that the previous versions used however i don't know how to find that out. Another option i was thinking that maybe there is a config file that i could just backup from the 1.04 install that contains the database settings and then just copy that into the 1.05 nstall and be done with it.

Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Sat Apr 28, 2012 4:10 pm 
Offline
Forum User
Forum User

Joined: Mon Jan 09, 2006 4:02 pm
Posts: 52
Looks like the rpm doesn't properly set up the config file for Plesk. Here's what I did to fix it. All of these edits are to be done to the file: /var/www/atmail/libs/Atmail/Config.php

Put this at top of file after <?php and before $pref = array(
Code:
// get password from /etc/psa/webmail/atmail/.atmail.shadow
// Newer Plesk uses /etc/psa-webmail/atmail/.atmail.shadow
if (file_exists("/etc/psa/webmail/atmail/.atmail.shadow")) {
  $password_file="/etc/psa/webmail/atmail/.atmail.shadow";
} elseif (file_exists("/etc/psa-webmail/atmail/.atmail.shadow")) {
  $password_file="/etc/psa-webmail/atmail/.atmail.shadow";
} else {
  echo "Error: Password file could not be found\n";
  exit;
}

if (!($fd = fopen($password_file, "r"))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);


Then set the following settings:

Code:
'sql_user' => 'atmail'
'sql_pass' => preg_replace("/\n/", "", $buff) [NO QUOTES]
'plesk' => 1
'installed' => 1
'domain' => ''
'smtphost' => 'localhost'
'install_dir' => '/var/www/atmail'
'user_dir' => '/var/www/atmail/users'
'popimap_debug_file' => '/var/log/atmail/popimap_debug.log'
'error_log' => '/var/log/atmail/atmail.log'
'atmail_root' => '/var/www'
'filter_trusted_networks' => ''
'ssl_certfile_pop3' => '/usr/local/psa/etc/httpsd.pem'
'ssl_certfile_imap' => '/usr/local/psa/etc/httpsd.pem'


If it doesn't work after this, and you get the error "Error: Password file could not be found" then you need to edit /etc/httpd/conf.d/zzz_atmail_vhost.conf AND /etc/psa-webmail/atmail/atmail_vhost.conf (so it regenerates properly when requested) and add /etc/psa-webmail/atmail to the open_basedir values (There are two). Remember they're separated by colons.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Sat Apr 28, 2012 11:04 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4009
Location: Chantilly, VA
Quote:
One of the reasons i am requesting this is:

http://www.kb.cert.org/vuls/id/743555

Vulnerability Note VU#743555


All systems with ASL installed, and anyone using our realtime or delayed rules were already immune to this entire class of vulnerabilities. You do not have to upgrade atmail.

If you are using ASL, or our realtime or even delayed rules you are completely immune to this vulnerability and already were. In fact, the rules have protected against this class of vulnerabilities since we first started putting out rules, which was many many years ago. So you do not need to install this upgrade.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Mon Apr 30, 2012 12:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8313
Location: earth
Thanks for the follow up, looks like I had uncommented the patch against the config when it was building. -2 is going up into the repo now.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Mon Apr 30, 2012 6:55 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 05, 2008 5:01 pm
Posts: 111
Scott i upgraded but now its asking for a passwd

Error: Password file could not be found


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Mon Apr 30, 2012 10:23 pm 
Offline
Forum User
Forum User

Joined: Mon Jan 09, 2006 4:02 pm
Posts: 52
diego wrote:
Scott i upgraded but now its asking for a passwd

Error: Password file could not be found


The very bottom of my post above should fix that.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Mon Apr 30, 2012 11:55 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 05, 2008 5:01 pm
Posts: 111
jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.

Thank you.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Tue May 01, 2012 11:34 am 
Offline
Forum User
Forum User

Joined: Mon Jan 09, 2006 4:02 pm
Posts: 52
diego wrote:
jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.

Thank you.


Sure! Best way to proceed:

Edit: /etc/psa-webmail/atmail/atmail_vhost.conf and look for this line:

Code:
php_admin_value open_basedir "@WEBMAIL_DOCROOT@:/var/log/atmail:/etc/psa:/tmp:/var/tmp:/etc/psa-webmail/atmail"


You will see it twice. Be sure to append the ":/etc/psa-webmail/atmail" like you see above. This will set it properly for the template, but it will *not* make it live. To do that, this should work:

Code:
/usr/local/psa/admin/bin/websrvmng -a


Check to see if the template was pushed to your atmail configuration file by running this:

Code:
cat /etc/httpd/conf.d/zzz_atmail_vhost.conf | grep open_basedir


If you see the ":/etc/psa-webmail/atmail" portion appended to the open_basedir line that this last command presents to you, then simply restart apache to apply it:

Code:
/sbin/service httpd restart


If not, edit that file as well and manually insert it in the same way you did to the template file, then restart apache.


Top
 Profile  
Reply with quote  
 Post subject: Re: Atmail 1.05 for Plesk 9.x
Unread postPosted: Wed May 02, 2012 10:43 pm 
Offline
Forum User
Forum User

Joined: Sun Sep 12, 2010 4:15 am
Posts: 8
That fix worked awesome.

Thanks Scott for updating 1.05 and thanks jas8522 for the fix for the password issue. The fix you posted worked perfect.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group