RE: Roundcube
> > I am running roundcube and dovecot on the same machine. To avoid the > described scenario, I have: > > 1. Enabled and configured selinux on that machine, > 2. Enabled mail-crypt plugin with user keys in dovecot. > > This should make it hard for an attacker to get access to the emails > even with root access gained through a compromised web server. > That depends on your selinux rules. If you want to go a little further. Use podman/docker to run roundcube and run it as a seperate user and give the container bind low port capabilities. I think docker/podman support this. Just in case juse separate uids with containers. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 2023-09-08, Robert Senger wrote: > I am running roundcube and dovecot on the same machine. To avoid the > described scenario, I have: > > 1. Enabled and configured selinux on that machine, yes selinux is a must have > 2. Enabled mail-crypt plugin with user keys in dovecot. > > This should make it hard for an attacker to get access to the emails > even with root access gained through a compromised web server. mail-crypt is useful if attacker get access to the mails but not to the keys. If you store mails on the same system it's useless ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have: 1. Enabled and configured selinux on that machine, 2. Enabled mail-crypt plugin with user keys in dovecot. This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server. Am I right? :) Am Freitag, dem 08.09.2023 um 06:50 +0800 schrieb jeremy ardley via dovecot: > > On 8/9/23 05:00, joe a wrote: > > Any known issues with installing/running roundcube and dovecot on > > the > > same server? > > > There is a generic issue with doing this. That is if you have > roundcube > (or any other web mail interface) on the same server as dovecot, a > breach of the web interface could be quite serious and allow access > to > the complete mail store. > > A better configuration is to run the web mail interface on an > isolated > server and get it to communicate using TLS imap with a remote dovecot > service. > > For economy, you could do this on the same machine using a small > virtual > server to run roundcube > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org -- -- Robert Senger ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Hi Joe, The only issue I had, is that for cryptic reasons (FreeBSD 13-STABLE) "localhost" did not resolve, I had too replace it with "127.0.0.1" But YMMV Regards, Xavier Le 9/7/23 23:00, joe a a écrit : Any known issues with installing/running roundcube and dovecot on the same server? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- Xavier HUMBERT 2 rue des Patureaux 54460 AINGERAY / FRANCE Tél +33 6 71 17 29 07 Dom +33 9 51 00 37 63 OpenPGP_signature.asc Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 9/7/2023 17:00:51, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org Placing roundcube on its own server was one consideration, security breach being one concern. Interesting to see such differing opinions. joe a. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
El 8/9/23 a les 11:59, Marc ha escrit: Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root. I was responding to jeremy ardley considering root access gained. Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation This link is crap, did you even read a few items on this page? Put then a link to the apache httpd root access. Fact still remains that nobody here on this list has eternal life nor eternal resources, so you would be stupid to focus on your webserver root access exploit instead of roundcube. Next to that, it is more common these days to use containers so there is not even a webserver that runs root. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org If roundcube/dovecot is in discussion, we can't assume the rest of environment i secure and well-configured: Webserver, Kernel, DB server, etc. Then we need to work on good measures to not rely on "everything will be optimal because everybody did a good job". And we can't assume Rouncube is perfect, same as Dovecot. Give time to time. -- __ I'm using this express-made address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > Since when does a hacked website gain root? What argument is next, when > your > > storage solution is hacked they have access to your files? Are you not > working > > with linux? How frequent are exploits that give you a root. > > I was responding to jeremy ardley considering root access gained. > > Apart from this privilege escalation is a real threat: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation > This link is crap, did you even read a few items on this page? Put then a link to the apache httpd root access. Fact still remains that nobody here on this list has eternal life nor eternal resources, so you would be stupid to focus on your webserver root access exploit instead of roundcube. Next to that, it is more common these days to use containers so there is not even a webserver that runs root. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > A web search on 'linux web server exploits that gain root' will give > many examples. No, not. And you better get your info for this type of stuff from cve websites or apache vulnerability list. > Security design by first principle assumes that an attacker will gain > root access. I would not know. Logical deduction of the topic question 'when roundcube gets hacked' does not include all this. The OP is correct with his question. The risk of having an undetected exploit in roundcube code is probably >1x than something with the webserver software. > Best practise is to limit the damage that can cause. The usual way to > limit it is put all public facing systems in a DMZ and have a very > carefully controlled access from them to an internal priavte network. > The access control is performed by systems that cannot be controlled by > a breached public facing server. e.g. router firewalls,. > How does stating something so obvious but irrelevant contribute? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 2023-09-08, Marc wrote: > Since when does a hacked website gain root? What argument is next, when your > storage solution is hacked they have access to your files? Are you not working > with linux? How frequent are exploits that give you a root. I was responding to jeremy ardley considering root access gained. Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 8/9/23 16:24, Marc wrote: Since when does a hacked website gain root? A web search on 'linux web server exploits that gain root' will give many examples. Security design by first principle assumes that an attacker will gain root access. Best practise is to limit the damage that can cause. The usual way to limit it is put all public facing systems in a DMZ and have a very carefully controlled access from them to an internal priavte network. The access control is performed by systems that cannot be controlled by a breached public facing server. e.g. router firewalls,. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > There is a generic issue with doing this. That is if you have roundcube > (or any other web mail interface) on the same server as dovecot, a > breach of the web interface could be quite serious and allow access to > the complete mail store. No this is crap. user/group is are preventing this. The only risk you have when roundcube is hacked is that any user logging after this hack, his mailbox can be accessed (grabbed userid/passwd). So users not even using this roundcube have no problem at all. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > On 2023-09-08, jeremy ardley via dovecot wrote: > > > The scenario you describe does not consider a breach of the web mail > service > > that allows root access to the file system. > > > > If the web service is compromised to that extent then the mail file store > is > > also compromised. > > > > If the mail file store is on a different device then an exploit has to > not > > only breach the web service on the interface device, it then has to > breach the > > remote store. This will be extremely difficult compared to simply > breaching a > > web server and locally exploiting it. > > > > When the dovecot server is on a remote system and correct firewalls are > in > > place, then the attacker has to breach the imap protocols as well > > But if root access is gained on the web server, root access is also > gained on roundcube. And mails, the important thing to protect, can be > freely read/deleted. At this point root access on the dovecot server > does not matter. > Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root. You can even run the webserver without root, because you only need binding the low port linux capability. So if your webserver process does not even run root, how can it gain it? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
El 8/9/23 a les 10:07, Michel Verdier ha escrit: On 2023-09-08, jeremy ardley via dovecot wrote: The scenario you describe does not consider a breach of the web mail service that allows root access to the file system. If the web service is compromised to that extent then the mail file store is also compromised. If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it. When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter. In a webmail-only container, the only information attacker can reach gaining root permissions is what Roundcube stores: - Logged-in account preferences (identifying used usernames) - Data cache MDA/IMAP server stores full mailboxes data, nor full accounts directory. IMAP-only users are not compromised because of a remote webmail breach. Another reason to separate software can be maintenance organisation: - Separate administrators - Update/upgrade OS as needed by one service but not the other -- Narcis Garcia __ I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 2023-09-08, jeremy ardley via dovecot wrote: > The scenario you describe does not consider a breach of the web mail service > that allows root access to the file system. > > If the web service is compromised to that extent then the mail file store is > also compromised. > > If the mail file store is on a different device then an exploit has to not > only breach the web service on the interface device, it then has to breach the > remote store. This will be extremely difficult compared to simply breaching a > web server and locally exploiting it. > > When the dovecot server is on a remote system and correct firewalls are in > place, then the attacker has to breach the imap protocols as well But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
El 8/9/23 a les 0:50, jeremy ardley via dovecot ha escrit: On 8/9/23 05:00, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store. A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service. For economy, you could do this on the same machine using a small virtual server to run roundcube +1 -- Narcis Garcia __ I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 8/9/23 07:38, dovecot--- via dovecot wrote: Roundcube does not have direct file access to the emails even on the same server. Roundcube opens a connection to dovecot, supplies the user/pass/login credentials to dovecot, and dovecot fetches the email stores and serves it to roundcube. There is nothing a hacker can gain access to by exploiting roundcube that they also couldn't get in the same scenario if roundcube and dovecot were on two different machines. -- The scenario you describe does not consider a breach of the web mail service that allows root access to the file system. If the web service is compromised to that extent then the mail file store is also compromised. If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it. When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well This article describes the concept https://www.fortinet.com/resources/cyberglossary/what-is-dmz ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Any known issues with installing/running roundcube and dovecot on the same server? There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store. A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service. For economy, you could do this on the same machine using a small virtual server to run roundcube I disagree with this, and that is what user/group/permissions are for. Roundcube does not have direct file access to the emails even on the same server. Roundcube opens a connection to dovecot, supplies the user/pass/login credentials to dovecot, and dovecot fetches the email stores and serves it to roundcube. There is nothing a hacker can gain access to by exploiting roundcube that they also couldn't get in the same scenario if roundcube and dovecot were on two different machines. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 8/9/23 05:00, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store. A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service. For economy, you could do this on the same machine using a small virtual server to run roundcube ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On Thu, Sep 07, 2023 at 05:00:51PM -0400, joe a wrote: > Any known issues with installing/running roundcube and dovecot on the same > server? > No! ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org -- Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Manitoba on 3 Oct 2023 vote Liberal! Beware https://mindspring.com ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Thanks. On 9/7/2023 17:09:25, robert k Wild wrote: Simple answer is no issues at all, I've done it all on the same server and my server has Postfix, dovecote and roundcube On Thu, 7 Sept 2023, 22:05 joe a, wrote: Any known issues with installing/running roundcube and dovecot on the same server? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 9/7/23 17:00, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? I'm running two such installations; no difficulty. -Dave -- Dave McGuire, AK4HZ New Kensington, PA ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Simple answer is no issues at all, I've done it all on the same server and my server has Postfix, dovecote and roundcube On Thu, 7 Sept 2023, 22:05 joe a, wrote: > Any known issues with installing/running roundcube and dovecot on the > same server? > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org