IspConfig with Roundcubemail - Security

Discussion in 'Installation/Configuration' started by hrvbid, Sep 20, 2008.

  1. hrvbid

    hrvbid New Member

    Looking for a webmailer, roundcubemail is functional a pretty choice, but from the view of security one of the greatest desaster Ive seen in the near past. I do not know from where the gaps came, from the native distro or from the pkg adaption for ispconfig. Reasons may be caused by inconsistent/strange file type usage and the intermix of some object orientation with non object oriented programming styles.

    Anyway, some actions are urgent suggested to plug the leaks.

    With good reasons, the ispconfig webserver for himself does not allow .htaccess overrides. With good reasons also, roundcubemail runs with and in the context of the ispconfig server. But roundcubemail uses .htaccess files to have some protection.

    That should be supported (only for) the roundcubepath by

    1st, insert into file /root/ispconfig/httpd/conf/httpd.conf about line # 1197 :
    <Directory /home/admispconfig/ispconfig/web/roundcubemail>
     	AllowOverride All
    Next modify the .htaccess file in the roundcube path line # 28 :
    <FilesMatch "(\.db|\.dist|\.inc|magic|msgimport|\~)$">
      Order allow,deny
      Deny from all
    Order deny,allow
    Allow from all
    an .htacces file with that content :
    	Order allow,deny
    	Deny from all 
    should also be placed in the ispconfig roundcubemail path:

    the ./config/*.dist files I have renamed to *.dist.nop
    otherwise these files are offered for download.

    When finished, ispconfig server requires restart.

    Don't know, if all security issues are now have paid attention, but with a first test the round cube world with ispconfig looks a bit better, while the functionalities are just bright.
  2. Hans

    Hans Moderator ISPConfig Developer

    First, i want to thank you for your close view and the advise you gave us.
    I have to say that you are completely right!

    The RC package for ISPConfig only copies RoundCube into the right directory.
    Regarding .htaccess files, RoundCube comes in it's original state.
    The .htaccess files which come with RoundCUbe are not removed.

    Packages like phpMyAdmin, phpPgAdmin and also RoundCube are under heavy developement.
    Each package need it's own ideal settings.

    Some examples:
    phpMyAdmin, php needs to be compiled with an extra module: --with-mcrypt
    phpPgAdmin, php needs to be compiled with an extra module: --with-pgsql
    RoundCube, uses .htaccess files, but also phpMyAdmin has one.

    With other words, installing these packages with the ISPConfig update manager is not enough.
    To let those apps function properly and safely, extra php-modules need to be compiled and/or modifications are needed regarding .htaccess files and what more.
    This can not be done by just installing the packages for ISPConfig.
    So, i think port 81 is not the right place to serve all those apps.
    It is ment for ISPConfig only.
    We don't want all those dependencies, because ISPConfig itself, simply don't need them.

    In the past i started to update/maintain the existing packages as my contribution for the community.
    (Some of them where rather old, you see).

    The users of the packages expect something, which just works safely out of the box, but sometimes it is not.
    One of the advantages of the packages should be that they are simply to install and ready to use.
    With all the extra requirements of the packages and configurations which need to be changed, this is not the case at all.

    Personally, i think it is better to use Apache for only ISPConfig and Apache2 for the webs.
    This is where an ISPConfig server has been designed for and this is how i use it myself!

    For these reasons, I am considering not to maintain the packages any longer.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I have added this to the bugtracker. I think we can add the directory directive for AllowOverride into the ispconfig httpd.conf by default.

    When it comes to the "--with-mcrypt" for phpmyadmin, we are working to implement this, so that it is compiled with mycrypt when the mcrypt development files are installed as we do it already for postgres.
  4. hrvbid

    hrvbid New Member

    Thank you Hans, thank you Till
    for the quick response. Let add me some remarks. The feature, to have packages available at a central place (like phpmyadmin, like webmailers) together with ispconfig is a very good and usefull choice. Because there is a secured ssl environment where in most cases cannot be much more when owning only a very limited pool of ip addresses. Also, to manage such centalized software with ispconfig at the higher admin level is well thought. I would not like to miss that feature. Any case, such package implementations require highest server admins attention and should never be used without sensitive examinations.
    Sure, ispconfig itself don't need phpmyadmin, don't need a webmailer, but site users are most happy about when offered. And ispconfig is very smart designed to serve different kind of users. The nature of such apps is always the universal usefullness for close all.
    That means, only apps of such kind should be considered to have a life together with ispconfig. Without any doupt, phpmyadmin and webmailers belong to. And always, a server admin decides about the avaiability, he may decide against too. And best, he has the choice to decide.
    From this point, let me thank again for the great ispconfig and the great howtoforge with its rich content.
  5. hrvbid

    hrvbid New Member

    To Hans ...
    please do not give up with roundcube at ispconfig. !
    That would be sad if my post would cause your statement. :-(
  6. Hans

    Hans Moderator ISPConfig Developer

    Have a look here.

Share This Page