Re: openwebmail with chrooted apache
On Tue, Jul 04, 2006 at 10:44:05AM -0400, Nick Holland wrote: > FTP wrote: > ... > >bottom line, your suggestion is to stick with openwebmail (if I don't > >want to intsall IMAP) and run 'insecure' apache? Would that be a > >'good' solution for a small e-mail server? > > MY suggestion..yes. Reasonable people may (and probably will) have > differing opinions. > > Here's a better idea: why don't you grab a bunch of different solutions > and try 'em out? Don't trust us, make your own decision. > > Keep the Big Picture in mind... Yes, it's the "insecure" use of apache, > but this eliminates a bunch of other programs that would have to do the > same thing, creating similar potential holes, anyway. > > Nick. > Thanks for your reply. I didn't mean that I 'trust' you or someone else and I do agree that I have to try different solutions till I decide. I only wanted to see what kind of experince you and others collected up to now and the reasons when proposing something. That's all :-) Thanks for your valuable time George
Re: openwebmail with chrooted apache
FTP wrote: ... bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? MY suggestion..yes. Reasonable people may (and probably will) have differing opinions. Here's a better idea: why don't you grab a bunch of different solutions and try 'em out? Don't trust us, make your own decision. Keep the Big Picture in mind... Yes, it's the "insecure" use of apache, but this eliminates a bunch of other programs that would have to do the same thing, creating similar potential holes, anyway. Nick.
Re: openwebmail with chrooted apache
On Tue, Jul 04, 2006 at 02:21:32PM +0200, Joachim Schipper wrote: > On Tue, Jul 04, 2006 at 10:33:30AM +0200, FTP wrote: > > On Mon, Jul 03, 2006 at 06:25:52PM -0400, Nick Holland wrote: > > > OpenWebmail is very charming because of how very little it needs to > > > bring into base OpenBSD to get working. I set it up for a school of > > > about 200 students (...). I must say, at this point, being not > > > written in PHP is starting to look Really Nice, too. > > > > bottom line, your suggestion is to stick with openwebmail (if I don't > > want to intsall IMAP) and run 'insecure' apache? Would that be a > > 'good' solution for a small e-mail server? > > Over here, I use Hastymail+Dovecot IMAP server. Dovecot is extremely > easy to setup and Works For Me, though it does not appear to work for > everyone. > > Hastymail is a basic webmail application, and about as sane as webmail > applications get. Notably, it does not support sending HTML mail, does > not use Javascript, and can - but need not - use cookies; what's better, > it actually has a thought-out and configurable security model. > > The interface is basic, but functional, and the only thing required is a > couple of flat files and an IMAP server. (No SQL is a Good Thing, too - > not to say that SQL isn't cool, but SQL is *not* a filesystem, despite > what the LAMP crowd seems to think...) > > The only thing that might be construed as 'missing' is PGP support, but > while I really like PGP, the whole idea of PGP over webmail has too many > problems to classify as a Good Idea. > > Not being able to send HTML mail does make some people less happy, > though. That, and it's written in PHP - and my opinion of PHP is > certainly no better than Nick's. > > Joachim > > P.S. Not to be a nazi, but trimming quotes is a good idea... > P.P.S. Flames invited over Excess Capitalization and the above P.S. > I see. In that case looks like to be better of to first install dovecot (which I was trying to avoid!) and then I'll have plenty of choices concerning the web-front GUI. Thanks George
Re: openwebmail with chrooted apache
On Tue, Jul 04, 2006 at 10:33:30AM +0200, FTP wrote: > On Mon, Jul 03, 2006 at 06:25:52PM -0400, Nick Holland wrote: > > OpenWebmail is very charming because of how very little it needs to > > bring into base OpenBSD to get working. I set it up for a school of > > about 200 students (...). I must say, at this point, being not > > written in PHP is starting to look Really Nice, too. > > bottom line, your suggestion is to stick with openwebmail (if I don't > want to intsall IMAP) and run 'insecure' apache? Would that be a > 'good' solution for a small e-mail server? Over here, I use Hastymail+Dovecot IMAP server. Dovecot is extremely easy to setup and Works For Me, though it does not appear to work for everyone. Hastymail is a basic webmail application, and about as sane as webmail applications get. Notably, it does not support sending HTML mail, does not use Javascript, and can - but need not - use cookies; what's better, it actually has a thought-out and configurable security model. The interface is basic, but functional, and the only thing required is a couple of flat files and an IMAP server. (No SQL is a Good Thing, too - not to say that SQL isn't cool, but SQL is *not* a filesystem, despite what the LAMP crowd seems to think...) The only thing that might be construed as 'missing' is PGP support, but while I really like PGP, the whole idea of PGP over webmail has too many problems to classify as a Good Idea. Not being able to send HTML mail does make some people less happy, though. That, and it's written in PHP - and my opinion of PHP is certainly no better than Nick's. Joachim P.S. Not to be a nazi, but trimming quotes is a good idea... P.P.S. Flames invited over Excess Capitalization and the above P.S.
Re: openwebmail with chrooted apache
On Mon, Jul 03, 2006 at 06:25:52PM -0400, Nick Holland wrote: > FTP wrote: > >On Mon, Jul 03, 2006 at 08:49:03PM +0200, Sigfred Heversen wrote: > >>Stuart Henderson wrote: > >>>On 2006/07/03 13:52, Nick Holland wrote: > >>> > (contrast this to Squirrelmail, which does (amazingly) run in a > chroot > >>> > >>>Same for Hastymail and Roundcube. I guess it's not too much of a > >>>stretch with IMP either (though I haven't actually used IMP > >>>recently enough to have checked chroot). > >>> > >>In tree mail/imp depends on devel/horde that has exploit(s) in the > >>wild. > >> > >>/Sigfred > >> > > > >I had a look on IMP and looks fine to me cause you can have POP3 too > >as well. I actually dodn't intend to isntall an IMAP server. > > Using IMP to avoid an IMAP server is like cutting off your hands because > you don't wish to trim your fingernails. A Bit Drastic, I do think. > And similarly crippling, as IMP is less than 100% effective without > IMAP, apparently: >http://www.horde.org/imp/docs/?f=INSTALL.html > "IMAP is recommended over POP3 in order to let users maintain mail > folders other than INBOX and is required to allow messages to be > flagged. IMAP is also much faster than POP3 in displaying a mailbox of > messages. In short, do not use POP3 unless IMAP is not available." > > If you want IMP, IMAP is the least of your tasks. I think once you have > IMP configured, you will forget that IMAP was even involved. > > >As a result is IMP a good solution for a small e-mail server? > > I've never got IMP all the way running...but I very quickly came to the > conclusion that "small" and IMP or any other Horde-based product have > nothing to do with each other. > > That's not to say that IMP isn't a (potentially) cool product, and I'd > like to come back to it, but the setup and config is much more > "involved" than I'd find justified for a "small" e-mail server. > > OpenWebmail is very charming because of how very little it needs to > bring into base OpenBSD to get working. I set it up for a school of > about 200 students on a PII-450, worked well (once I set up MASSIVE > amounts of swap space...having 25 students change their PWs at the same > time burned through something like 600M of RAM+swap very > quickly...swap-to-file to the rescue!). I must say, at this point, > being not written in PHP is starting to look Really Nice, too. > > Nick. > bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? Thanks George
Re: openwebmail with chrooted apache
On 2006/07/03 18:25, Nick Holland wrote: > OpenWebmail is very charming because of how very little it needs to > bring into base OpenBSD to get working. I set it up for a school of > about 200 students on a PII-450, worked well (once I set up MASSIVE > amounts of swap space...having 25 students change their PWs at the same > time burned through something like 600M of RAM+swap very > quickly...swap-to-file to the rescue!). I set IMP up once for a hosted email system for a bunch of schools, who insisted on using Lookout 97 for admin staff. The occasional uuencoded attachments (including a scanned letter pasted as a bitmap into an uncompressed Word document sent to something like 400 people) caused, shall we say, interesting things to happen as IMP tried to wordwrap it...
Re: openwebmail with chrooted apache
FTP wrote: On Mon, Jul 03, 2006 at 08:49:03PM +0200, Sigfred Heversen wrote: Stuart Henderson wrote: On 2006/07/03 13:52, Nick Holland wrote: (contrast this to Squirrelmail, which does (amazingly) run in a chroot Same for Hastymail and Roundcube. I guess it's not too much of a stretch with IMP either (though I haven't actually used IMP recently enough to have checked chroot). In tree mail/imp depends on devel/horde that has exploit(s) in the wild. /Sigfred I had a look on IMP and looks fine to me cause you can have POP3 too as well. I actually dodn't intend to isntall an IMAP server. Using IMP to avoid an IMAP server is like cutting off your hands because you don't wish to trim your fingernails. A Bit Drastic, I do think. And similarly crippling, as IMP is less than 100% effective without IMAP, apparently: http://www.horde.org/imp/docs/?f=INSTALL.html "IMAP is recommended over POP3 in order to let users maintain mail folders other than INBOX and is required to allow messages to be flagged. IMAP is also much faster than POP3 in displaying a mailbox of messages. In short, do not use POP3 unless IMAP is not available." If you want IMP, IMAP is the least of your tasks. I think once you have IMP configured, you will forget that IMAP was even involved. As a result is IMP a good solution for a small e-mail server? I've never got IMP all the way running...but I very quickly came to the conclusion that "small" and IMP or any other Horde-based product have nothing to do with each other. That's not to say that IMP isn't a (potentially) cool product, and I'd like to come back to it, but the setup and config is much more "involved" than I'd find justified for a "small" e-mail server. OpenWebmail is very charming because of how very little it needs to bring into base OpenBSD to get working. I set it up for a school of about 200 students on a PII-450, worked well (once I set up MASSIVE amounts of swap space...having 25 students change their PWs at the same time burned through something like 600M of RAM+swap very quickly...swap-to-file to the rescue!). I must say, at this point, being not written in PHP is starting to look Really Nice, too. Nick.
Re: openwebmail with chrooted apache
> > In tree mail/imp depends on devel/horde that has exploit(s) in the wild. This doesn't look very much fun, remote php execution and looks like it's being actively probed-for.
Re: openwebmail with chrooted apache
From: [EMAIL PROTECTED] > > In tree mail/imp depends on devel/horde that has exploit(s) > in the wild. > > > > /Sigfred > > > > I had a look on IMP and looks fine to me cause you can have > POP3 too as well. I actually dodn't intend to isntall an IMAP server. > > As a result is IMP a good solution for a small e-mail server? It works as well as anything and it's *pretty*. As pointed out though, IMP doesn't work without the rest of the Horde framework, and frankly I don't like introducing more code than neccesary (especially in the case of a PHP app) and if all you need is webmail, is bringing along all the rest of the Horde framework really prudent? DS
Re: openwebmail with chrooted apache
On Mon, Jul 03, 2006 at 08:49:03PM +0200, Sigfred Heversen wrote: > Stuart Henderson wrote: > >On 2006/07/03 13:52, Nick Holland wrote: > > > >>(contrast this to Squirrelmail, which does (amazingly) run in a chroot > > > > > >Same for Hastymail and Roundcube. I guess it's not too much of a > >stretch with IMP either (though I haven't actually used IMP recently > >enough to have checked chroot). > > > > In tree mail/imp depends on devel/horde that has exploit(s) in the wild. > > /Sigfred > I had a look on IMP and looks fine to me cause you can have POP3 too as well. I actually dodn't intend to isntall an IMAP server. As a result is IMP a good solution for a small e-mail server? Thanks George
Re: openwebmail with chrooted apache
Stuart Henderson wrote: On 2006/07/03 13:52, Nick Holland wrote: (contrast this to Squirrelmail, which does (amazingly) run in a chroot Same for Hastymail and Roundcube. I guess it's not too much of a stretch with IMP either (though I haven't actually used IMP recently enough to have checked chroot). In tree mail/imp depends on devel/horde that has exploit(s) in the wild. /Sigfred
Re: openwebmail with chrooted apache
On Mon, 3 Jul 2006, Stuart Henderson wrote: Same for Hastymail and Roundcube. I guess it's not too much of a stretch with IMP either (though I haven't actually used IMP recently enough to have checked chroot). Horde/Imp works fine in chroot. -- Antoine
Re: openwebmail with chrooted apache
On 2006/07/03 13:52, Nick Holland wrote: > (contrast this to Squirrelmail, which does (amazingly) run in a chroot Same for Hastymail and Roundcube. I guess it's not too much of a stretch with IMP either (though I haven't actually used IMP recently enough to have checked chroot).
Re: openwebmail with chrooted apache
FTP wrote: I installed openwebmail from the ports and when trying to launch: http://your_server/cgi-bin/openwebmail/openwebmail.pl I get a 500 error. I suppose that this is due to the chrooted apache but how do I find the dependencies for a perl script? 1) you think really hard about what a program does and how it does it. * It runs as setuid root, so it can jump to any logged in user to fetch their mail. (hint: chrooting a suid root program is kinda pointless) * It accesses /var/mail (can't recall if directly or via pop3) * It accesses Sendmail binary directly (another setuid root program). * it accesses /home/* directly (that's from memory, from a few years back's version. I suspect there is a lot more. Some details may have changed, including my memory) 2) you think really hard about how much of the system you would have to pull into the chroot to do what you want. * Too much dangerous stuff...and much of the file system. The benefit of chrooting is mostly lost. 3) Decide if the effort is worth it. * No, it isn't IN THIS CASE. Give it up. See the last sentence in: http://www.openbsd.org/faq/faq10.html#httpdchroot OpenWebmail is one of these apps. Making it work in a chroot would require a major rewrite and restructure, not simply copying files over...then you STILL have to trust the mechanism used to do those root-like things. (contrast this to Squirrelmail, which does (amazingly) run in a chroot relatively easily...but then, Squirrelmail uses an IMAP server to move your mail data around...so instead of worrying about a "hole" in Apache or the web-app, you have to worry about a hole in your IMAP server) Nick.
