Users August 2019

users@lists.roundcube.net

13 participants
13 discussions

Strange sieve script
by Jorge Bastos 24 Nov '19

24 Nov '19

Howdy, I've seen some some time and in distinct users, a redirect script been added to an email that has nothing to do with them. Maybe it's for fishing or other intention, maybe even espionage, which is real nowadays. Did anyone saw this in your users? I catched this in a regular "mailq" investigation for problems

2 2

Content Security Policy for Roundcube
by James Brown 11 Oct '19

11 Oct '19

Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes. Additionally at logout I get the message "PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application. Human interaction is now required to continue." Please contact your server-administrator. Commenting out the CSP line in https.conf fixed it. Currently using: Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self' Which fails. Is there a recommended CSP for Roundcube? thanks, James.

5 9

Roundcube Webmail 1.3.10 released
by Thomas Bruederli 29 Aug '19

29 Aug '19

Dear subscribers We proudly announce the next service release to update the stable version 1.3. It contains fixes to several bugs backported from the master branch including minor security fixes around CSS and HTML cleanup. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.3.10

1 0

Truncated filenames of attachments
by Jorge 22 Aug '19

22 Aug '19

Hi All, I use Roundcube version 1.3.6 and I have problems with the attached files whose name is quite long (more than 90 characters). When downloading them the name is truncated to the first 91 characters and not including the extension, which is usually difficult to open correctly. For example: A23456789B23456789C23456789D23456789E23456789F23456789G23456789H23456789I23456789J23456789K23456789L23456789M23456789N23456789O23456789P23456789Q23456789.txt when downloading it RoundCube shows it to me as: A23456789B23456789C23456789D23456789E23456789F23456789G23456789H23456789I23456789J23456789K truncated to 91 characters and not including the extension. Has anyone had such problems? Is there any way to fix it? Jorge Colaccini --- El software de antivirus Avast ha analizado este correo electrónico en busca de virus. https://www.avast.com/antivirus

4 3

Roundcube, This content can not be displayed in a frame error
by David Mehler 12 Aug '19

12 Aug '19

Hello, Up until about half an hour ago I had a working roundcube installation running on php 7.3 and apache 2.4. I went in to tweak my X-Frame-Options headers among others in apache and now I'm getting the error this content can not be displayed in a frame. This is with ie11. Chrome isn't showing me messages either, but it isn't giving the error. Now I did have the webmail open in an ie tab during this working, but it was not logged in in fact I ignored it. I've sense put the option back to SAMEORIGIN, restarted both apache and php-fpm several times, refreshed the ie browser window, deleted temporary internet files, still getting the error. I've even gone in to defaults.inc.php (yes I know that's not standard practice) and changed x_frame_options from it's default of sameorigin to false, again restarted both apache and php-fpm as well as another ie refresh, still getting the error. I have not checked on another computer i'm not near one at the moment. Any ideas very welcome. Thanks. Dave.

2 1

Automatically insert address book source in message headers
by André Rodier 11 Aug '19

11 Aug '19

Hello all, I am actually writinghave written a milter with Python that can be useful, especially if you are using the Sieve filters. It is written for SOGo, but it should be very simple (even simpler) to translate into RoundCube address books. This is a very simple milter, written in Python, that do the following when a new message arrive. 1. Get the recipient uid "UID" from the email address. 2. Get the list of address books in the database for the user with uid "UID" 3. Search the sender email address in all the user's address books 4. If found at least one, add one header "X-AddressBook" which contains a list of all the address books found, with a prefixed syntax: X-AddressBook: "SOGo:Personnal, SOGo:Professional" So, in the case of RoundCube, the plugin would use RoundCube prefix, but the same principle. There are some limitations, of course, but it is still functional. - Once active, sieve filters should be simpler, no need to have a long list of from email address, just create an address book, and a put your contacts in it. - You can create a different automatic responder for each address book. - Because I am using this on Debian Stretch for now, I am using the available version of python-milter, which uses python2. When I will port this to buster, I will use the python3-milter package. I tried to made it compatible with version 3 as much as I could. - This is freshly new, and has not been tested in production yet. I am working on it. - You can test the behaviour using an SQLite database. Because my first idea was to use a global sqlite database synchronised with multiple address books, it was supposed to contain not the email address but a hash (sha256). - I am not a Python expert, and perhaps there are some errors in the code, but it should be readable. I had to disable a few pylint warnings, as I could not solve them at all, especially those related to the inherited class. - This is the first time I am writing a milter script, be indulgent. The code: https://github.com/progmaticltd/sogo-milters/blob/master/milter-abook/milte… I initially wrote this for HomeBox, I may add some documentation for the deployment if needed. Kind regards, André

1 1

managesieve-plugin closes connection before negotiation
by Florian Ruhnke (OiledAmoeba) 09 Aug '19

09 Aug '19

Hi, I do have an running dovecot-sieve installation. There is no problem to use it with rainloop or Thunderbird. But I can't get roundcube to work with sieve. Dovecot forces to initiate TLS before auth. SSL is disabled, only TLS 1.2+ is enabled. sieve-log of roundcube: [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "IMPLEMENTATION" "Dovecot Pigeonhole" [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve" [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "NOTIFY" "mailto" [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SASL" "" [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "STARTTLS" [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "VERSION" "1.0" [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Doctor, your Tardis is ready." [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: STARTTLS [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: NO "Error in MANAGESIEVE command received by server." [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: LOGOUT [31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Begin TLS negotiation now." maillog (dovecot errors): Jul 31 16:24:29 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.23.102.80, lip=10.23.102.251, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<rbUW4vqOC+MKF2ZQ> managesieve config.inc.php: $config['managesieve_port'] = 4190; $config['managesieve_host'] = 'mail.domain.tld'; $config['managesieve_auth_type'] = 'PLAIN'; $config['managesieve_auth_cid'] = null; $config['managesieve_auth_pw'] = null; $config['managesieve_usetls'] = true; //$config['managesieve_conn_options'] = null; $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_peer_name' => true, 'allow_self_signed' => false, ), ); $config['managesieve_default'] = '/etc/dovecot/sieve/global'; $config['managesieve_script_name'] = 'managesieve'; $config['managesieve_mbox_encoding'] = 'UTF-8'; $config['managesieve_replace_delimiter'] = ''; $config['managesieve_disabled_extensions'] = array(); $config['managesieve_debug'] = true; $config['managesieve_kolab_master'] = false; $config['managesieve_filename_extension'] = '.sieve'; $config['managesieve_filename_exceptions'] = array(); $config['managesieve_domains'] = array(); $config['managesieve_vacation'] = 1; $config['managesieve_vacation_interval'] = 0; $config['managesieve_vacation_addresses_init'] = false; $config['managesieve_vacation_from_init'] = false; $config['managesieve_notify_methods'] = array('mailto'); $config['managesieve_raw_editor'] = true; The dovecot-log looks like roundcube is trying to initiate SSL3 but this is disabled. I think "Error in MANAGESIEVE command received by server." has to do with the deactivated SSL. Connecting to dovecot manually with gnutls-cli --starttls -p 4190 mail.domain.tld: Processed 306 CA certificate(s). Resolving 'mail.domain.tld:4190'... Connecting to '<IP>:4190'... - Simple Client Mode: "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate m ime foreverypart extracttext imapsieve vnd.dovecot.imapsieve" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "Doctor, your Tardis is ready." NO "Error in MANAGESIEVE command received by server." STARTTLS OK "Begin TLS negotiation now." *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=mail.domain.tld', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03c0d3d322307e5a997f654b435b56480773, RSA key 4096 bits, signed using RSA-SHA256, activated `2019-06-06 09:18:10 UTC', expires `2019-09-04 09:18:10 UTC', pin-sha256="8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4=" Public Key ID: sha1:62b08cf75ae6c45915db8d8c7bff6947788ac3b2 sha256:f12975ee55b1598489713729a501b80cb4818443ffb91919e4d4d07dd924a12e Public Key PIN: pin-sha256:8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4= - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve" "NOTIFY" "mailto" "SASL" "PLAIN LOGIN" "VERSION" "1.0" OK "TLS negotiation successful." LOGOUT OK "Logout completed." - Peer has closed the GnuTLS connection So, what do I have to do to get roundcube to talk to sieve?

2 2

error when enabling kolab calendar plugin, is there a fix?
by David Mehler 05 Aug '19

05 Aug '19

Hello, Trying to get kolab calendar plugin going with roundcube 1.3.9 and getting the following error, in the browser it's an error 500 in the log here's what I have, is there a fix? Thanks. Dave. #cat errors [05-Aug-2019 17:45:54 America/New_York] PHP Fatal error: Uncaught Error: Call to protected method rcmail_output_html::search_form() from context 'calendar_ui' in /usr/local/www/roundcube/plugins/calendar/lib/calendar_ui.php:795 Stack trace: #0 /usr/local/www/roundcube/program/include/rcmail_output_html.php(1145): calendar_ui->resources_search_form(Array) #1 [internal function]: rcmail_output_html->xml_command(Array) #2 /usr/local/www/roundcube/program/include/rcmail_output_html.php(1013): preg_replace_callback('/<roundcube:([-...', Array, '<roundcube:obje...') #3 /usr/local/www/roundcube/program/include/rcmail_output_html.php(634): rcmail_output_html->parse_xml('<roundcube:obje...') #4 /usr/local/www/roundcube/program/include/rcmail_output_html.php(488): rcmail_output_html->parse('calendar', false) #5 /usr/local/www/roundcube/plugins/calendar/calendar.php(333): rcmail_output_html->send('calendar.calend...') #6 /usr/local/www/roundcube/program/lib/Roundcube/rcube_plugin_api.php(493): calendar->calendar_view() #7 /usr/local/www/roundcube/index.php(295): rcube_plugin_ in /usr/local/www/roundcube/plugins/calendar/lib/calendar_ui.php on line 795

1 0

Configuring Classic for Desktop but Elastic for Phone?
by Philip Rhoades 05 Aug '19

05 Aug '19

People, Is there some way to do this? I want to stick with Classic for the Desktop because I think that is better suited but Elastic is obviously better for the phone - is there some way RCM can tell what the client is and choose the appropriate Skin? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: phil(a)pricom.com.au

1 0

removing a roundcube enigma key
by David Mehler 04 Aug '19

04 Aug '19

Hello, I've got a new pgp key that I've imported with enigma. I'd now like to remove the old key, via enigma. I am not seeing how to do this. Can I get rid of the old key I know the ID via roundcube or if not can I do it via the CLI and then associate the new key ID with the profile? Thanks. Dave.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Users August 2019