Atmail 1.05 for Plesk 9.x

Requests for RPMS, or new coding projects related to server administration, Plesk, security, or anything else you can think of.
onsightdata
Forum User
Forum User
Posts: 8
Joined: Sun Sep 12, 2010 4:15 am

Atmail 1.05 for Plesk 9.x

Unread post by onsightdata »

I see that atmail open 1.05 came out in December of 2011 would it be possible to get this added to the atamic repo please. The latest i have is psa-atmail-1.04-3.el5.art.noarch

So appreciate all the work that Atomiccorp does!

Thannks,

*edit* I was going to add the link, http://atmail.org/download/atmailopen.tgz
onsightdata
Forum User
Forum User
Posts: 8
Joined: Sun Sep 12, 2010 4:15 am

Re: Atmail 1.05 for Plesk 9.x

Unread post by onsightdata »

One of the reasons i am requesting this is:

http://www.kb.cert.org/vuls/id/743555

Vulnerability Note VU#743555

@Mail Open webmail client contains multiple vulnerabilities

Original Release date: 22 Mar 2012 | Last revised: 28 Mar 2012

Overview

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).

Description

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Atmail 1.05 for Plesk 9.x

Unread post by scott »

Thanks for the heads up! psa-atmail 1.05 should be going out to the mirrors now.
onsightdata
Forum User
Forum User
Posts: 8
Joined: Sun Sep 12, 2010 4:15 am

Re: Atmail 1.05 for Plesk 9.x

Unread post by onsightdata »

After doing the update:

All domains get this screen and it wants all the information to be entered.


Atmail Pre-installation check
Thank you for choosing Atmail Open, this easy to use Web-installer will guide you through configuring the software. The installation progress is displayed with a progress bar at the top right of the page. Completed steps appear black and the current step blue. You can return to any completed step by clicking on its box in the progress bar.
onsightdata
Forum User
Forum User
Posts: 8
Joined: Sun Sep 12, 2010 4:15 am

Re: Atmail 1.05 for Plesk 9.x

Unread post by onsightdata »

I have no idea what the atmail database name is nor the user and pass to do the setup. I had to downgrade back to 1.04 as i don't have the information to do the setup for 1.05

Any help would be appreciated.
diego
Forum Regular
Forum Regular
Posts: 111
Joined: Tue Aug 05, 2008 5:01 pm

Re: Atmail 1.05 for Plesk 9.x

Unread post by diego »

Same issue here, anyone has a update?
onsightdata
Forum User
Forum User
Posts: 8
Joined: Sun Sep 12, 2010 4:15 am

Re: Atmail 1.05 for Plesk 9.x

Unread post by onsightdata »

Scott/Anyone

When doing the update to atmail 1.05 goes to a setup screen which were after agreeing to the terms of use takes you to a database setup screen. I am assuming there is already a atmail database that the previous versions used however i don't know how to find that out. Another option i was thinking that maybe there is a config file that i could just backup from the 1.04 install that contains the database settings and then just copy that into the 1.05 nstall and be done with it.

Image
jas8522
Forum User
Forum User
Posts: 52
Joined: Mon Jan 09, 2006 4:02 pm

Re: Atmail 1.05 for Plesk 9.x

Unread post by jas8522 »

Looks like the rpm doesn't properly set up the config file for Plesk. Here's what I did to fix it. All of these edits are to be done to the file: /var/www/atmail/libs/Atmail/Config.php

Put this at top of file after <?php and before $pref = array(

Code: Select all

// get password from /etc/psa/webmail/atmail/.atmail.shadow
// Newer Plesk uses /etc/psa-webmail/atmail/.atmail.shadow
if (file_exists("/etc/psa/webmail/atmail/.atmail.shadow")) {
  $password_file="/etc/psa/webmail/atmail/.atmail.shadow";
} elseif (file_exists("/etc/psa-webmail/atmail/.atmail.shadow")) {
  $password_file="/etc/psa-webmail/atmail/.atmail.shadow";
} else {
  echo "Error: Password file could not be found\n";
  exit;
}

if (!($fd = fopen($password_file, "r"))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
Then set the following settings:

Code: Select all

'sql_user' => 'atmail'
'sql_pass' => preg_replace("/\n/", "", $buff) [NO QUOTES]
'plesk' => 1
'installed' => 1
'domain' => ''
'smtphost' => 'localhost'
'install_dir' => '/var/www/atmail'
'user_dir' => '/var/www/atmail/users'
'popimap_debug_file' => '/var/log/atmail/popimap_debug.log'
'error_log' => '/var/log/atmail/atmail.log'
'atmail_root' => '/var/www'
'filter_trusted_networks' => ''
'ssl_certfile_pop3' => '/usr/local/psa/etc/httpsd.pem'
'ssl_certfile_imap' => '/usr/local/psa/etc/httpsd.pem'
If it doesn't work after this, and you get the error "Error: Password file could not be found" then you need to edit /etc/httpd/conf.d/zzz_atmail_vhost.conf AND /etc/psa-webmail/atmail/atmail_vhost.conf (so it regenerates properly when requested) and add /etc/psa-webmail/atmail to the open_basedir values (There are two). Remember they're separated by colons.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Atmail 1.05 for Plesk 9.x

Unread post by mikeshinn »

One of the reasons i am requesting this is:

http://www.kb.cert.org/vuls/id/743555

Vulnerability Note VU#743555
All systems with ASL installed, and anyone using our realtime or delayed rules were already immune to this entire class of vulnerabilities. You do not have to upgrade atmail.

If you are using ASL, or our realtime or even delayed rules you are completely immune to this vulnerability and already were. In fact, the rules have protected against this class of vulnerabilities since we first started putting out rules, which was many many years ago. So you do not need to install this upgrade.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Atmail 1.05 for Plesk 9.x

Unread post by scott »

Thanks for the follow up, looks like I had uncommented the patch against the config when it was building. -2 is going up into the repo now.
diego
Forum Regular
Forum Regular
Posts: 111
Joined: Tue Aug 05, 2008 5:01 pm

Re: Atmail 1.05 for Plesk 9.x

Unread post by diego »

Scott i upgraded but now its asking for a passwd

Error: Password file could not be found
jas8522
Forum User
Forum User
Posts: 52
Joined: Mon Jan 09, 2006 4:02 pm

Re: Atmail 1.05 for Plesk 9.x

Unread post by jas8522 »

diego wrote:Scott i upgraded but now its asking for a passwd

Error: Password file could not be found
The very bottom of my post above should fix that.
diego
Forum Regular
Forum Regular
Posts: 111
Joined: Tue Aug 05, 2008 5:01 pm

Re: Atmail 1.05 for Plesk 9.x

Unread post by diego »

jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.

Thank you.
jas8522
Forum User
Forum User
Posts: 52
Joined: Mon Jan 09, 2006 4:02 pm

Re: Atmail 1.05 for Plesk 9.x

Unread post by jas8522 »

diego wrote:jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.

Thank you.
Sure! Best way to proceed:

Edit: /etc/psa-webmail/atmail/atmail_vhost.conf and look for this line:

Code: Select all

php_admin_value open_basedir "@WEBMAIL_DOCROOT@:/var/log/atmail:/etc/psa:/tmp:/var/tmp:/etc/psa-webmail/atmail"
You will see it twice. Be sure to append the ":/etc/psa-webmail/atmail" like you see above. This will set it properly for the template, but it will *not* make it live. To do that, this should work:

Code: Select all

/usr/local/psa/admin/bin/websrvmng -a
Check to see if the template was pushed to your atmail configuration file by running this:

Code: Select all

cat /etc/httpd/conf.d/zzz_atmail_vhost.conf | grep open_basedir
If you see the ":/etc/psa-webmail/atmail" portion appended to the open_basedir line that this last command presents to you, then simply restart apache to apply it:

Code: Select all

/sbin/service httpd restart
If not, edit that file as well and manually insert it in the same way you did to the template file, then restart apache.
onsightdata
Forum User
Forum User
Posts: 8
Joined: Sun Sep 12, 2010 4:15 am

Re: Atmail 1.05 for Plesk 9.x

Unread post by onsightdata »

That fix worked awesome.

Thanks Scott for updating 1.05 and thanks jas8522 for the fix for the password issue. The fix you posted worked perfect.
Post Reply