[imp] Possible bug ?

michel at casa.co.cu michel at casa.co.cu
Sun Sep 13 23:16:02 UTC 2009


Arjen de Korte <arjen+horde at de-korte.org> escribió:

> Citeren michel at casa.co.cu:
>
>> Thanks for respond my email , tomorrow i will send a email to all  
>> my users in the system for change his passwords for precautions ,  
>> but until yesterday the hacker use in the line "from" emails  
>> address that ever exist in my active directory.
>>
>> I have spf in my dns.
>
> That may only help against others illegally using *your* domain on  
> *their* MTA. Not for people illegally using your *MTA* with *their  
> domain.
>
>> so how i can send email truth horde webmail when the email address  
>> don't exists?
>
> Only relay mail when the sender is SASL authenticated to Postfix  
> *and* is allowed to use the sender address. This drastically limits  
> what people can do when an user account is compromised and also will  
> quickly tell you which one if it ever happens.
>
>> how make this , if no possible that horde have a possible security  
>> breach, a bug?
>
> This isn't a Horde security problem and/or bug. You should harden  
> your MTA to prevent this.
>
> Best regards, Arjen
>

Tomorrow i work to implement sasl authenticated in my MTA.

this is my config imp , i don't see where i can lock the from_address

$conf['spell']['params']['path'] = '/usr/bin/aspell';
$conf['spell']['driver'] = 'aspell';
$conf['utils']['gnupg_keyserver'] = array('pgp.mit.edu');
$conf['utils']['gnupg_timeout'] = 10;
$conf['utils']['openssl_cafile'] = '/somewhere/ca-bundle.crt';
$conf['utils']['openssl_binary'] = '/usr/bin/openssl';
$conf['menu']['apps'] = array('horde');
$conf['user']['select_sentmail_folder'] = false;
$conf['user']['allow_resume_all_in_drafts'] = true;
$conf['user']['allow_folders'] = true;
$conf['user']['allow_resume_all'] = false;
$conf['user']['allow_view_source'] = true;
$conf['user']['alternate_login'] = false;
$conf['user']['redirect_on_logout'] = false;
$conf['user']['select_view'] = true;
$conf['server']['server_list'] = 'shown';
$conf['server']['fixed_folders'] = array();
$conf['server']['sort_limit'] = 0;
$conf['server']['cache_folders'] = true;
$conf['server']['token_lifetime'] = 1800;
$conf['server']['cachejs'] = 'none';
$conf['server']['cachecss'] = 'none';
$conf['mailbox']['show_preview'] = false;
$conf['fetchmail']['show_account_colors'] = false;
$conf['fetchmail']['size_limit'] = 4000000;
$conf['msgcache']['use_msgcache'] = false;
$conf['mlistcache']['use_mlistcache'] = false;
$conf['msgsettings']['filtering']['words'] = './config/filter.txt';
$conf['msgsettings']['filtering']['replacement'] = '****';
$conf['spam']['reporting'] = false;
$conf['notspam']['reporting'] = false;
$conf['print']['add_printedby'] = false;
$conf['msg']['prepend_header'] = true;
$conf['msg']['append_trailer'] = true;
$conf['compose']['allow_receipts'] = true;
$conf['compose']['special_characters'] = true;
$conf['compose']['use_vfs'] = false;
$conf['compose']['link_all_attachments'] = false;
$conf['compose']['link_attachments_notify'] = true;
$conf['compose']['link_attachments'] = true;
$conf['compose']['attach_size_limit'] = 2524000;
$conf['compose']['attach_count_limit'] = 0;
$conf['compose']['reply_limit'] = 2000000;
$conf['hooks']['vinfo'] = false;
$conf['hooks']['postlogin'] = false;
$conf['hooks']['postsent'] = false;
$conf['hooks']['signature'] = false;
$conf['hooks']['trailer'] = false;
$conf['hooks']['fetchmail_filter'] = false;
$conf['hooks']['mbox_redirect'] = false;
$conf['hooks']['mbox_icon'] = false;
$conf['hooks']['spam_bounce'] = false;
$conf['hooks']['msglist_format'] = false;
$conf['hooks']['display_folder'] = false;
$conf['maillog']['use_maillog'] = true;
$conf['sentmail']['params']['threshold'] = 60;
$conf['sentmail']['params']['limit_period'] = 24;
$conf['sentmail']['params']['table'] = 'imp_sentmail';
$conf['sentmail']['params']['driverconfig'] = 'horde';
$conf['sentmail']['driver'] = 'sql';
$conf['tasklist']['use_tasklist'] = true;
$conf['notepad']['use_notepad'] = true;


and the horde config.


$conf['vhosts'] = false;
$conf['debug_level'] = E_ALL;
$conf['max_exec_time'] = 300;
$conf['compress_pages'] = true;
$conf['secret_key'] = '5cee22ed2d84cc4b803c11e8353d718def4b37b6';
$conf['umask'] = 077;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['server']['port'] = $_SERVER['SERVER_PORT'];
$conf['urls']['token_lifetime'] = 30;
$conf['urls']['hmac_lifetime'] = 30;
$conf['urls']['pretty'] = false;
$conf['safe_ips'] = array('192.168.0.0', '10.71.53.0');
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 3200;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['persistent'] = false;
$conf['sql']['username'] = 'hordesql';
$conf['sql']['password'] = '**********';
$conf['sql']['hostspec'] = 'localhost';
$conf['sql']['port'] = 3306;
$conf['sql']['protocol'] = 'tcp';
$conf['sql']['database'] = 'hordedb';
$conf['sql']['charset'] = 'utf-8';
$conf['sql']['ssl'] = false;
$conf['sql']['splitread'] = false;
$conf['sql']['phptype'] = 'mysql';
$conf['auth']['admins'] = array('michel');
$conf['auth']['checkip'] = false;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['params']['app'] = 'imp';
$conf['auth']['driver'] = 'application';
$conf['signup']['allow'] = false;
$conf['log']['priority'] = PEAR_LOG_DEBUG;
$conf['log']['ident'] = 'HORDE';
$conf['log']['params'] = array();
$conf['log']['name'] = '/var/log/horde.log';
$conf['log']['type'] = 'syslog';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = true;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'sql';
$conf['alarms']['params']['driverconfig'] = 'horde';
$conf['alarms']['params']['ttl'] = 300;
$conf['alarms']['driver'] = 'sql';
$conf['datatree']['params']['driverconfig'] = 'horde';
$conf['datatree']['driver'] = 'sql';
$conf['group']['driver'] = 'datatree';
$conf['group']['cache'] = false;
$conf['perms']['driverconfig'] = 'horde';
$conf['perms']['driver'] = 'sql';
$conf['share']['no_sharing'] = false;
$conf['share']['any_group'] = false;
$conf['share']['cache'] = false;
$conf['share']['driver'] = 'sql';
$conf['cache']['default_lifetime'] = 1800;
$conf['cache']['driver'] = 'memcache';
$conf['lock']['params']['driverconfig'] = 'horde';
$conf['lock']['driver'] = 'sql';
$conf['token']['driver'] = 'none';
$conf['mailer']['params']['host'] = 'webmail.home.com';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['localhost'] = 'server.home.com';
$conf['mailer']['params']['auth'] = false;
$conf['mailer']['type'] = 'smtp';
$conf['mailformat']['brokenrfc2231'] = false;
$conf['vfs']['params']['vfsroot'] = '/tmp';
$conf['vfs']['type'] = 'file';
$conf['sessionhandler']['type'] = 'none';
$conf['sessionhandler']['memcache'] = false;
$conf['problems']['email'] = 'support at home.com';
$conf['problems']['maildomain'] = 'home.com';
$conf['problems']['tickets'] = false;
$conf['problems']['attachments'] = true;
$conf['menu']['apps'] = array();
$conf['menu']['always'] = false;
$conf['menu']['links']['help'] = 'all';
$conf['menu']['links']['options'] = 'authenticated';
$conf['menu']['links']['problem'] = 'all';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['hooks']['permsdenied'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['preauthenticate'] = false;
$conf['hooks']['postauthenticate'] = false;
$conf['hooks']['authldap'] = false;
$conf['hooks']['groupldap'] = false;
$conf['portal']['fixed_blocks'] = array();
$conf['accounts']['driver'] = 'null';
$conf['user']['verify_from_addr'] = false;
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;
$conf['memcache']['enabled'] = false;


maybe there is something wrong in my config
----------------------------------------------
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.



More information about the imp mailing list