Page 2 of 2
Re: Horde webmail plesk 10.2
Posted: Mon Jul 25, 2011 2:03 pm
by DarkF@der
Thanks for this example
Re: Horde webmail plesk 10.2
Posted: Wed Jul 27, 2011 11:42 pm
by inquis
I am slowly understanding this but which but relates to unblocking imap through a new firewall rule.
Sorry if you can explain what to do and why really basically i would appreciate it.
Apologies in advance, as i am at the back of the class but curious to get more involved in this.
Thanks
Re: Horde webmail plesk 10.2
Posted: Thu Jul 28, 2011 12:09 pm
by mikeshinn
I am slowly understanding this but which but relates to unblocking imap through a new firewall rule.
I'm not sure I understand your question, could you clarify?
Re: Horde webmail plesk 10.2
Posted: Thu Jul 28, 2011 12:47 pm
by inquis
mikeshinn wrote:I am slowly understanding this but which but relates to unblocking imap through a new firewall rule.
I'm not sure I understand your question, could you clarify?
mikeshinn wrote:I cant speak for APF, and not sure if it could do, but you would want to create iptables rules that limit the output to just those userids that would normally do this. For example, to limit outbound SMTP to just qmail and postfix, you would add rules like there:
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner qmail -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner postfix -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j LOG_SMTP_OUT
iptables -A LOG_SMTP_OUT -m limit --limit 1/second -j LOG --log-level info --log-prefix "Unauth-SMTP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A LOG_SMTP_OUT -j REJECT
The format of a rule that is limited to a user is:
iptables -I OUTPUT -p PROTOCOL --dport PORT -m owner --uid-owner USERNAME -j ACCEPT
Where PROTOCOL would probably almost always be "tcp", except maybe in the case of DNS when it would be "udp".
PORT is the outbound port, 25 for SMTP, 80 for HTTP, etc.
and USERNAME is the trusted non-malicious username, such as "qmail".
For other services, you would need to identify the user that would normally, and non-maliciously connect outbound and limit that port to that user.
Hi Mike,
sorry to be a pain, basically what I mean is my imap worked before and as per the thread after upgrading I cannot connect to IMAP.
Basically I wanted to get the firewall rule to enable IP's of my selection to connect to IMAP and access mail as per normal.
Re: Horde webmail plesk 10.2
Posted: Thu Jul 28, 2011 12:52 pm
by mikeshinn
sorry to be a pain, basically what I mean is my imap worked before and as per the thread after upgrading I cannot connect to IMAP.
Do you mean they cant connect to your IMAP service? If thats the issue, they you just need to open tcp ports 993 and 143 on your system to allow connections to your IMAP services. Although theres nothing in ASL that would change this, so I suspect you are not referring to your firewall rules.
If you mean that you have a web application, such as Horde, that can not "connect" to your IMAP services, then if you look at the earlier part of this forum thread you likely have a PHP function disabled that horde needs. If you look at the release notes for ASL 3.0 here:
https://www.atomicorp.com/wiki/index.ph ... ease_Notes
You'll see this note:
ASL 3.0 added two new high risk PHP functions: pfsockopen and fsockopen. These are disabled in PHP by default. If you have a web application that uses these functions, please ensure that you re-enable them. You can do so by changing these settings in ASL:
ALLOW_pfsockopen and ALLOW_fsockopen
to "yes"
As far as I know, horde needs the fsockopen function enabled. So log into ASL, click on the "Configuration" tab, scroll down to "ALLOW_fsockopen" and per the note above, set that to "yes". Then click the "Update" button. Horde might need pfsockopen too, not sure though, so if Horde still complains then try that too.
Also, PHP will always log if a function is not allowed. So check your apache error logs for any messages from PHP like this:
“Warning: fockopen() has been disabled for security reasons..”
So anytime you have a problem with a PHP application, always check your apache logs first. PHP will usually tell you whats wrong.
Re: Horde webmail plesk 10.2
Posted: Sun Jul 31, 2011 7:42 am
by inquis
i tried opening these two php functions and I still couldn't get in.
I will try this again later today and see if I can sort this out and I will report back
Re: Horde webmail plesk 10.2
Posted: Sun Jul 31, 2011 12:48 pm
by mikeshinn
i tried opening these two php functions and I still couldn't get in.
Check your apache logs too, if apache is configured to not do something (such as PHP being configured to not allow certain functions), it will log that error.