Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Vinayak

Pages: [1] 2 3
1
Information / Re: Roundcube big security issue.
« on: July 28, 2023, 11:17:19 PM »
cd /scripts
./mail_roundcube_update
Note that you don't want to do this if you've manually updated to roundcube 1.5.3 per Sandeep's instructions. The "logic" of the roundcube update script does not take into account the currently installed version and will merrily blow away a newer 1.5.x install and install 1.4.11 instead.

Thanks for the heads up, but mine is default setup, webmail is running fine.

As per my earlier post result of
cd /scripts
./mail_roundcube_update
Was
Roundcube is already up-to-date

Current version is
Roundcube Webmail IMAP Client
Version 1.4.11

And these URLs are not secure, all servers are exposed.
https://cpanel.domain.com/roundcube/logs/errors.log
https://cpanel.domain.com/webmail/logs/errors.log

https://host.domain.com:2031/roundcube/logs/errors.log
https://webmail.domain.com//logs/errors.log

Entry in /usr/local/cwpsrv/var/services/roundcube/logs/.htaccess

# deny webserver access to this directory
<ifModule mod_authz_core.c>
    Require all denied
</ifModule>
<ifModule mod_authz_core.c>
    Deny from all
</ifModule>

Owner & group for /usr/local/cwpsrv/var/services/roundcube/logs/ and all files within.
Owner: cwpsvc
Group: cwpsvc

2
Information / Re: Roundcube big security issue.
« on: July 28, 2023, 08:52:22 PM »
Some additional information

This too is not secure
https://host.domain.com:2031/roundcube/logs/errors.log

And is this Owner/Group correct? Because whatever domain is used, same errors.log get downloaded.
Quote
Owner: cwpsvc
Group: cwpsvc
/usr/local/cwpsrv/var/services/roundcube/logs/errors.log

And this is happening in multiple servers, not just one.

3
Information / Re: Roundcube big security issue.
« on: July 28, 2023, 08:34:40 PM »
Just checked a couple domains.
Got either a permission denied by cwpsrv or a 403.

Hop into the CLI via SSH or Terminal

cd /scripts
./mail_roundcube_update
exit


Then in CWP, goto User Accounts -> Fix Permissions

Select the user (domain)
Check -> Fix Permissions
Check -> Internal Server Error

Followed above suggestion to the letter, but no use.

Some additional info.

Quote
cd /scripts
./mail_roundcube_update
Last metadata expiration check: 0:13:24 ago on Sat Jul 29 01:45:42 2023.
Dependencies resolved.
Nothing to do.
Complete!


###############################
Roundcube is already up-to-date
###############################

AlmaLinux release 8.8
CWPpro version: 0.9.8.1160

4
Information / Roundcube big security issue.
« on: July 28, 2023, 08:04:51 AM »
How do we secure these logs

https://cpanel.domain.com/roundcube/logs/errors.log
https://cpanel.domain.com/webmail/logs/errors.log

And all other files withing the logs folder.

Any one visiting above URLs (replace domain.com with your actual domain) can download these log files and use them for exploitation.

I can see there is one .htaccess file, but it's not being honoured by the cwp webserver, in my case Apache.

5
DKIM / Re: How to implement 2048 bit DKIM keys on CWP servers.
« on: March 20, 2023, 04:03:30 AM »
When setting up an account/domain, what part/script of CWP handles generation and setting up of DKIM?

I would like CWP to automatically generate/implement 2048 bit DKIM keys by default.

Also is there a way to replace all existing 1024 bit records with 2048 bit DKIM keys?

6
DKIM / Re: How to implement 2048 bit DKIM keys on CWP servers.
« on: March 19, 2023, 05:52:13 AM »
My question is not about installing and configuring DKIM, my question is about how to implement 2048 bit DKIM keys by default on Control Web Panel servers.

7
DKIM / How to implement 2048 bit DKIM keys on CWP servers.
« on: March 09, 2023, 04:59:12 PM »
Any documentation or know how for implementing 2048 bit DKIM keys by default on Control Web Panel servers?

National Institute of Standards and Technology (NIST) recommends 2048 bit keys for DomainKeys Identified Mail (DKIM), so does a client of mine on a CWP VPS dedicated to this client only.

So is there a way to make 2048 bit DKIM keys installed by default on all accounts?

8
So, I submitted a ticket for this issue, I was told this could be due to forwarders, forwarders/alias may be having some restricted special character or something due to which, this is happening.

In my case it was a cPanel to CWP migration.

I took a backup of forwarders, alias table in postfix database (use phpMyAdmin or from command line).

Deleted all forwarders from admin panel as suggested by support and list email accounts in user panel started working.

Added forwarders back, manually this time, all is working fine.

Hopefully this may help someone facing similar issue.

9
Though this thread is quite old, but some may still be following it to the letter or taking it as reference, hence I would like to add that if you set

Code: [Select]
Header always set X-Frame-Options DENY
Roundcube webmail will stop loading the reading pane, user will be able to login, but reading pane will not load, you may get error as "connection refused" or "this site can not be loaded".

To avoid the issue or to fix it, better use

Code: [Select]
Header always set X-Frame-Options SAMEORIGIN

10
Did you ever found a solution to this issue?

11
CentOS-WebPanel Bugs / Re: User password limitation?
« on: June 06, 2022, 10:07:33 PM »
Noted.

A suggestion, these instructions should be there in proper place, where user takes action.

12
CentOS-WebPanel Bugs / User password limitation?
« on: May 28, 2022, 11:36:17 PM »
Just now I found that password for user can not have this special character
Code: [Select]
~ no warning, account creation or password change finishes with success message, but login won't work.

Any other such known limitations?
List of special characters that won't work?

My setup:-
CWPpro version: 0.9.8.1139
Distro Name: AlmaLinux release 8.6 (Sky Tiger)

13
CentOS-WebPanel Bugs / Re: Problem with user panel
« on: May 28, 2022, 11:27:14 PM »
Which module?

14
E-Mail / Re: Cant add autoresponder
« on: May 06, 2022, 11:31:04 AM »
This issue still exists, cab add autoresponder as root or as user, but can not update/modify any of the existing one.

Gives "Error writing to DB"

15
CentOS 7 Problems / Re: Cron Run Problem - Manual Run
« on: April 10, 2022, 12:53:46 AM »
Same here, user cron is not running in Pro version.

Another issue is different PHP version for website &  cron.

Pages: [1] 2 3