Dev

dev@lists.roundcube.net

1 participants
4293 discussions

Roundcube and AppArmor on Debian
by André Rodier 13 Mar '18

13 Mar '18

Hello everyone, I successfully managed to have Roundcube working with nginx and a proper AppArmor profile. Now, I don't think PHP is included yet into the AppArmor profile, this might be tricker. Anyone has done this successfully before, or should I start from scratch? Thanks for your links and your opinions. I am using php-fpm. Finally, for those who are interested in yet another self-hosting configuration, I have started this project on GitHub: https://github.com/progmaticltd/homebox The main difference between existing projects are: - Stay inside a distribution packages, or use proper repositories providing stable security updates. - Trying to automate things as much as possible, in a secure manner (e.g. building and publishing DNS, DKIM, SPF, DMARC records automatically) Thanks for your thoughts. Kind regards, André

1 0

Roundcube, password plugin, and mysql
by David Mehler 11 Mar '18

11 Mar '18

Hello, I'm not sure if this issue is a bug. I've asked on the users list and don't believe there's anyone on it, i've got no list traffic. I use Roundcube 1.3.4 on a FreeBSD system. I use postfix which gets it's authentication from dovecot imap server and goes to a MySQL database. I am now wanting to get roundcube's password plugin to be able to change a users password. In the password plugin configuration file I had this originally: update virtual_users set password=CONCAT('{SHA512-CRYPT}', ENCRYPT (%p, CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))) WHERE user=%u; This didn't work nor did it return any debug information. I then went in to MySQL directly and did this: update virtual_users set password=CONCAT('{SHA512-CRYPT}', ENCRYPT ('PasswordGoesHere', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))) WHERE user='Username goes here'; Directly at the MySQL prompt this worked replaced user and password with values and it got returned correctly. I then did this with %p and %u as it appeared that not having them quoted was causing an error. Through none of this am I getting any kind of debug or log output: update virtual_users set password=CONCAT('{SHA512-CRYPT}', ENCRYPT ('%p', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))) WHERE user='%u'; I try to change the password and I get brought back to the same screen, no errors on the screen and nothing in a log, the password does not get changed. Any suggestions or ways I can get some logging information? Also, when doing the change at the MySQL prompt I got a warning, doing a show warnings revealed error 1287 that the ENCRYPT function is deprecated and to use AES_ENCRYPT instead. I tried replacing ENCRYPT with AES_ENCRYPT and that didn't work. I've got debug and sql and imap debug all enabled. I've got the below sql schema for my virtual users table: mysql> describe virtual_users; +------------------+----------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +------------------+----------------------+------+-----+---------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | domain_id | int(11) | NO | MUL | NULL | | | user | varchar(40) | NO | MUL | NULL | | | password | varchar(128) | NO | | NULL | | | uid | smallint(5) unsigned | NO | | 999 | | | gid | smallint(5) unsigned | NO | | 999 | | | quota | bigint(20) | NO | | 0 | | | active | tinyint(1) | NO | | 1 | | | allow_imap | tinyint(1) | NO | | 1 | | | last_login_ip | varchar(16) | YES | | NULL | | | last_login_date | datetime | YES | | NULL | | | last_login_proto | varchar(5) | YES | | NULL | | +------------------+----------------------+------+-----+---------+----------------+ 12 rows in set (0.00 sec) The passwords are done as sha512-crypt hashes. Here's my current password/config.inc.php file: $cat config.inc.php <?php $config['password_driver'] = 'sql'; // Determine whether current password is required to change password. $config['password_confirm_current'] = true; // Require the new password to be a certain length. $config['password_minimum_length'] = 10; // Require the new password to contain a letter and punctuation character $config['password_require_nonalpha'] = true; // Enables logging of password changes into logs/password $config['password_log'] = true; // Comma-separated list of login exceptions for which password change // will be not available (no Password tab in Settings) $config['password_login_exceptions'] = null; // Array of hosts that support password changing. // Listed hosts will feature a Password option in Settings; others will not. // Example: array('mail.example.com', 'mail2.example.org'); // Default is NULL (all hosts supported). $config['password_hosts'] = null; // Enables saving the new password even if it matches the old password. Useful // for upgrading the stored passwords after the encryption scheme has changed. $config['password_force_save'] = true; // Enables forcing new users to change their password at their first login. $config['password_force_new_user'] = false; $config['password_algorithm'] = 'sha512-crypt'; // Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated // using password_algorithm above. Default: empty. $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; // Path for dovecotpw/doveadm-pw (if not in the $PATH). // Used for password_algorithm = 'dovecot'. //$config['password_dovecotpw'] = '/usr/local/bin/doveadm pw'; // for dovecot-2.x // Dovecot password scheme. // Used for password_algorithm = 'dovecot'. //$config['password_dovecotpw_method'] = 'SHA512-CRYPT'; // Enables use of password with method prefix, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/ // when using password_algorithm=dovecot //$config['password_dovecotpw_with_method'] = false; // Iteration count parameter for Blowfish-based hashing algo. // It must be between 4 and 31. Default: 12. // Be aware, the higher the value, the longer it takes to generate the password hashes. $config['password_blowfish_cost'] = 12; // Number of rounds for the sha256 and sha512 crypt hashing algorithms. // Must be at least 1000. If not set, then the number of rounds is left up // to the crypt() implementation. On glibc this defaults to 5000. // Be aware, the higher the value, the longer it takes to generate the password hashes. $config['password_crypt_rounds'] = 1256; // This option temporarily disables the password change functionality. // Use it when the users database server is in maintenance mode or sth like that. // You can set it to TRUE/FALSE or a text describing the reason // which will replace the default. $config['password_disabled'] = false; $config['password_db_dsn'] = 'mysql://database_username:database_password@localhost/database'; // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %P is replaced with the crypted/hashed new password // according to configured password_method // %o is replaced with the old (current) password // %O is replaced with the crypted/hashed old (current) password // according to configured password_method // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address) // Deprecated macros: // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. More hash function can be enabled using the password_crypt_hash // configuration parameter. // %D is replaced with the dovecotpw-crypted version of the new password // %n is replaced with the hashed version of the new password // %q is replaced with the hashed password before the change // Escaping of macros is handled by this module. // Default: "SELECT update_passwd(%c, %u)" //$config['password_query'] = 'SELECT update_passwd(%c, %u)'; $config['password_query'] = 'UPDATE virtual_users SET password=%c WHERE user=%u LIMIT 1'; //$config['password_query'] = 'UPDATE virtual_users SET password=CONCAT('{SHA512-CRYPT}', ENCRYPT (%p, CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))) WHERE user=%u limit 1;'; //$config['password_query'] = "update virtual_users set password=CONCAT('{SHA512-CRYPT}', ENCRYPT (%p, CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))) WHERE user=%u"; //$config['password_query'] = 'UPDATE users SET crypt=ENCRYPT(%p,CONCAT(_utf8\'$5$\',RIGHT(MD5(RAND()),8),_utf8\'$\')) WHERE id=%u LIMIT 1'; //UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1 //UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1 $config['password_crypt_hash'] = 'sha512'; $config['password_idn_ascii'] = false; $config['password_hash_algorithm'] = 'sha1'; $config['password_hash_base64'] = false; $config['password_pw_usermod_cmd'] = 'sudo /usr/sbin/pw usermod -h 0 -n'; Suggestions welcome. Thanks. Dave.

1 0

Code modification for a personal implementation or a Plugin?
by Philip Rhoades 09 Mar '18

09 Mar '18

People, Years ago I posted on a suggested improvement list somewhere to have an option to only list folders with unread messages (I have hundreds of folders and it that option would greatly reduce the necessary scrolling) but it never got implemented - I guess because it never became a priority for scarce development resources. While I would still like that previously suggested upgrade, I have another upgrade which might be more amenable to me having a shot it doing the work myself. I think it is probably a minor tweak so I could just apply it to new, major versions of the code as they are released. However, if what I wanted to do could be done as a Plugin, I would be interested in trying that route as well. What I would like is, since there is already the facility to highlight newly arrived mails in blue - to modify this facility a little so that ANY mails that are less than 24 hours old are highlighted in blue. This would be useful for when I have had to exit out of RCM and reload it for some reason - currently all the blue highlighted mails lose the highlight on re-opening RCM. If someone could point me to the place in the code where I could do this myself or how suggest I could do this as a plugin, I would greatly appreciate it! Regards, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: phil(a)pricom.com.au

2 2

Elastic skin ready for testing
by A.L.E.C 05 Mar '18

05 Mar '18

Yesterday I merged the separate repository we had for Elastic code with the main Roundcube repository. You might notice ~530 new commits. So, the skin is now official. We're not yet ready for the beta release though. I think it will happen somewhere in the end of Q2. But if you're a plugin author it's time to start working on the new skin support. There are still things that may change according to the feedback we collected at https://github.com/roundcube/elastic/issues and https://git.kolab.org/tag/ux_seminar_ws17/. ps. it uses Less, so it does not work out of the box. Please, read README for simple installation instructions or use devel_mode with performance degradation. -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] ---------------------------------------------------- PGP: 19359DC1 # Blog: https://kolabian.wordpress.com

1 0

Roundcube Webmail Update 1.3.4 released
by Thomas Bruederli 15 Jan '18

15 Jan '18

Dear subscribers We proudly announce the next service release to update the stable version 1.3. It contains fixes to several bugs reported by our dear community members and makes Roundcube now fully compatible with PHP 7.2. See the full changelog in the release notes [1] on our Github download page. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. And as usual: please do backup your data before updating! New: starting with version 1.3.3 we also publish Roundcube releases as Docker images. The images are still considered BETA and your feedback with regards to setup, configuration and documentation is much appreciated. Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.3.4

1 0

add custom button preview
by Vito Buscemi 14 Dec '17

14 Dec '17

I need information about the possibility of inserting a custom button in the preview of a message: how can I proceed? regards, Vito

1 0

cookie issue with contacts plugin and google analytics
by Brendan 09 Dec '17

09 Dec '17

i've had a strange bug happening with a couple users in our environment that i finally managed to track down. before i submit a patch, i'd like to hear opinions about the best way to do so. the problem essentially boils down to overly permissive google analytics(GA) cookies that some of our customers and end users are using. in some cases, GA hands out a cookie named _gid - that cookie can cause problems with roundcube if it's sent along as part of the request for retrieving contacts on the compose page. if you are using a custom contacts souce (as is the case with a contacts plugin, ie the carddav one) in program/steps/mail/list_contacts.inc this block is evaluated: if ($group_id = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC)) { $CONTACTS->set_group($group_id); } the request comes in from a GET, but rcube_utils::INPUT_GPC causes rcube_utils::get_input_value() to also consider cookies. if the GA _gid cookie is present, things fall apart (as the value of the cookie does not correspond to an existing group) and no contacts are returned. the simplest fix would be to switch rcube_utils::INPUT_GPC to rcube_utils::INPUT_GET so that roundcube would not consider the cookie. but, there could be some historical use case where the cookie needs to be considered? as an alternate, list_contacts.inc could try and validate the content of the $group_id that is returned and skip setting it if it doesn't seem reasonable. it would seem a little ugly to specifically check for a google specific cookie in the code, so it seems like the INPUT_GET change would be better... but i don't know if that would break other plugins. thoughts?

2 1

Attachment-Size
by Martin Wodrich 22 Nov '17

22 Nov '17

In our Roundcube (GIT-Master) Installation we can only attach up to 5 MebiByte Attachments. In the past (and in our 1.2.x RC-Installation) we can attach up to 128 MebiByte. We had already set the limits upload_max_filesize post_max_size memory_limit in the PHP.INI to 128M and comment out this in .htaccess. What can we do? Cheers, -- Martin Wodrich Admin freexp.de Waltrop/Germany

2 2

Roundcube Docker image
by Thomas Bruederli 21 Nov '17

21 Nov '17

Hello devs and list lurkers Upon common request [1] and a pull request from @J0WI we now published a Docker image for Roundcube webmail: https://hub.docker.com/r/roundcube/roundcubemail/ It's meant to be configured with the described env variables and ready for serving the webmail without first running through the installer. So far the configuration options are limited but it's a start. Before we now apply for an official image, I'd like your feedback and suggestions what other configuration options would be worth to be supported, especially when considering to use the docker image for production environments, too. So please give it a try and check the Dockerfile and entrypoint [2] for suggestions. Kind regards, Thomas [1] https://github.com/roundcube/roundcubemail/issues/5827 [2] https://github.com/roundcube/roundcubemail/tree/master/docker

1 0

Security updates 1.3.3, 1.2.7 and 1.1.10 released
by Thomas Bruederli 09 Nov '17

09 Nov '17

Dear subscribers We just published updates to all stable versions from 1.1.x onwards delivering fixes for a recently discovered file disclosure vulnerability in Roundcube Webmail. Apparently this zero-day exploit is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651. The Roundcube series 1.0.x is not affected by this vulnerability but we nevertheless back-ported the fix in order to protect from yet unknown exploits. See the full changelog for the according version in the release notes on the Github download pages: https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 https://github.com/roundcube/roundcubemail/releases/tag/1.0.12 We strongly recommend to update all productive installations of Roundcube with either one of these versions. In order to check whether your Roundcube installation has been compromised check the access logs for requests like ?_task=settings&_action=upload-display&_from=timezone As mentioned above, the file disclosure only works for authenticated users and by finding such requests in the logs you should also be able to identify the account used for this unauthorized access. For mitigation we recommend to change the all credentials to external services like database or LDAP address books and preferably also the 'des_key' option in your config. Kind regards Alec & Thomas

1 0

← Newer
1
...
6
7
8
9
10
11
12
...
430
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Dev