Atmail 1.05 for Plesk 9.x
-
- Forum User
- Posts: 8
- Joined: Sun Sep 12, 2010 4:15 am
Atmail 1.05 for Plesk 9.x
I see that atmail open 1.05 came out in December of 2011 would it be possible to get this added to the atamic repo please. The latest i have is psa-atmail-1.04-3.el5.art.noarch
So appreciate all the work that Atomiccorp does!
Thannks,
*edit* I was going to add the link, http://atmail.org/download/atmailopen.tgz
So appreciate all the work that Atomiccorp does!
Thannks,
*edit* I was going to add the link, http://atmail.org/download/atmailopen.tgz
-
- Forum User
- Posts: 8
- Joined: Sun Sep 12, 2010 4:15 am
Re: Atmail 1.05 for Plesk 9.x
One of the reasons i am requesting this is:
http://www.kb.cert.org/vuls/id/743555
Vulnerability Note VU#743555
@Mail Open webmail client contains multiple vulnerabilities
Original Release date: 22 Mar 2012 | Last revised: 28 Mar 2012
Overview
The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).
Description
The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following
http://www.kb.cert.org/vuls/id/743555
Vulnerability Note VU#743555
@Mail Open webmail client contains multiple vulnerabilities
Original Release date: 22 Mar 2012 | Last revised: 28 Mar 2012
Overview
The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).
Description
The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Atmail 1.05 for Plesk 9.x
Thanks for the heads up! psa-atmail 1.05 should be going out to the mirrors now.
-
- Forum User
- Posts: 8
- Joined: Sun Sep 12, 2010 4:15 am
Re: Atmail 1.05 for Plesk 9.x
After doing the update:
All domains get this screen and it wants all the information to be entered.
Atmail Pre-installation check
Thank you for choosing Atmail Open, this easy to use Web-installer will guide you through configuring the software. The installation progress is displayed with a progress bar at the top right of the page. Completed steps appear black and the current step blue. You can return to any completed step by clicking on its box in the progress bar.
All domains get this screen and it wants all the information to be entered.
Atmail Pre-installation check
Thank you for choosing Atmail Open, this easy to use Web-installer will guide you through configuring the software. The installation progress is displayed with a progress bar at the top right of the page. Completed steps appear black and the current step blue. You can return to any completed step by clicking on its box in the progress bar.
-
- Forum User
- Posts: 8
- Joined: Sun Sep 12, 2010 4:15 am
Re: Atmail 1.05 for Plesk 9.x
I have no idea what the atmail database name is nor the user and pass to do the setup. I had to downgrade back to 1.04 as i don't have the information to do the setup for 1.05
Any help would be appreciated.
Any help would be appreciated.
Re: Atmail 1.05 for Plesk 9.x
Same issue here, anyone has a update?
-
- Forum User
- Posts: 8
- Joined: Sun Sep 12, 2010 4:15 am
Re: Atmail 1.05 for Plesk 9.x
Scott/Anyone
When doing the update to atmail 1.05 goes to a setup screen which were after agreeing to the terms of use takes you to a database setup screen. I am assuming there is already a atmail database that the previous versions used however i don't know how to find that out. Another option i was thinking that maybe there is a config file that i could just backup from the 1.04 install that contains the database settings and then just copy that into the 1.05 nstall and be done with it.
When doing the update to atmail 1.05 goes to a setup screen which were after agreeing to the terms of use takes you to a database setup screen. I am assuming there is already a atmail database that the previous versions used however i don't know how to find that out. Another option i was thinking that maybe there is a config file that i could just backup from the 1.04 install that contains the database settings and then just copy that into the 1.05 nstall and be done with it.
Re: Atmail 1.05 for Plesk 9.x
Looks like the rpm doesn't properly set up the config file for Plesk. Here's what I did to fix it. All of these edits are to be done to the file: /var/www/atmail/libs/Atmail/Config.php
Put this at top of file after <?php and before $pref = array(
Then set the following settings:
If it doesn't work after this, and you get the error "Error: Password file could not be found" then you need to edit /etc/httpd/conf.d/zzz_atmail_vhost.conf AND /etc/psa-webmail/atmail/atmail_vhost.conf (so it regenerates properly when requested) and add /etc/psa-webmail/atmail to the open_basedir values (There are two). Remember they're separated by colons.
Put this at top of file after <?php and before $pref = array(
Code: Select all
// get password from /etc/psa/webmail/atmail/.atmail.shadow
// Newer Plesk uses /etc/psa-webmail/atmail/.atmail.shadow
if (file_exists("/etc/psa/webmail/atmail/.atmail.shadow")) {
$password_file="/etc/psa/webmail/atmail/.atmail.shadow";
} elseif (file_exists("/etc/psa-webmail/atmail/.atmail.shadow")) {
$password_file="/etc/psa-webmail/atmail/.atmail.shadow";
} else {
echo "Error: Password file could not be found\n";
exit;
}
if (!($fd = fopen($password_file, "r"))) {
echo "<script>alert('Unable to get webmail password!')</script>";
exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
Code: Select all
'sql_user' => 'atmail'
'sql_pass' => preg_replace("/\n/", "", $buff) [NO QUOTES]
'plesk' => 1
'installed' => 1
'domain' => ''
'smtphost' => 'localhost'
'install_dir' => '/var/www/atmail'
'user_dir' => '/var/www/atmail/users'
'popimap_debug_file' => '/var/log/atmail/popimap_debug.log'
'error_log' => '/var/log/atmail/atmail.log'
'atmail_root' => '/var/www'
'filter_trusted_networks' => ''
'ssl_certfile_pop3' => '/usr/local/psa/etc/httpsd.pem'
'ssl_certfile_imap' => '/usr/local/psa/etc/httpsd.pem'
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Atmail 1.05 for Plesk 9.x
All systems with ASL installed, and anyone using our realtime or delayed rules were already immune to this entire class of vulnerabilities. You do not have to upgrade atmail.One of the reasons i am requesting this is:
http://www.kb.cert.org/vuls/id/743555
Vulnerability Note VU#743555
If you are using ASL, or our realtime or even delayed rules you are completely immune to this vulnerability and already were. In fact, the rules have protected against this class of vulnerabilities since we first started putting out rules, which was many many years ago. So you do not need to install this upgrade.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Atmail 1.05 for Plesk 9.x
Thanks for the follow up, looks like I had uncommented the patch against the config when it was building. -2 is going up into the repo now.
Re: Atmail 1.05 for Plesk 9.x
Scott i upgraded but now its asking for a passwd
Error: Password file could not be found
Error: Password file could not be found
Re: Atmail 1.05 for Plesk 9.x
The very bottom of my post above should fix that.diego wrote:Scott i upgraded but now its asking for a passwd
Error: Password file could not be found
Re: Atmail 1.05 for Plesk 9.x
jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.
Thank you.
Thank you.
Re: Atmail 1.05 for Plesk 9.x
Sure! Best way to proceed:diego wrote:jas8522: I dont know what to edit on the files you mention. Can you be a little more specific on how the should look.
Thank you.
Edit: /etc/psa-webmail/atmail/atmail_vhost.conf and look for this line:
Code: Select all
php_admin_value open_basedir "@WEBMAIL_DOCROOT@:/var/log/atmail:/etc/psa:/tmp:/var/tmp:/etc/psa-webmail/atmail"
Code: Select all
/usr/local/psa/admin/bin/websrvmng -a
Code: Select all
cat /etc/httpd/conf.d/zzz_atmail_vhost.conf | grep open_basedir
Code: Select all
/sbin/service httpd restart
-
- Forum User
- Posts: 8
- Joined: Sun Sep 12, 2010 4:15 am
Re: Atmail 1.05 for Plesk 9.x
That fix worked awesome.
Thanks Scott for updating 1.05 and thanks jas8522 for the fix for the password issue. The fix you posted worked perfect.
Thanks Scott for updating 1.05 and thanks jas8522 for the fix for the password issue. The fix you posted worked perfect.