• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

PCI Compliance - courier imap,netqmail

S

snowfire

Guest
Hi,
I'm new to plesk, and php/linux, and I need some guidance regarding two pci issues a client has.
first, I have read and implemented the plesk pci guide.
my server is as follows (media temple hosted, new dv 4.0 server):

Version Parallels Plesk Panel v10.3.1_build1012110812.15 os_CentOS 5
OS Linux 2.6.18-028stab093.2
I have two outstanding issues that Security metrics has identified:
1. Description: possible format string vulnerability in Courier IMAP Severity:
Resolution: Upgrade to Courier IMAP 3.0.4 or higher, or set DEBUG_LOGIN equal to the default value of 0 in the IMAP configuration file, which is typically located in /usr/lib/courier-imap/etc/imapd
2. Description: possible vulnerability in Qmail Severity: Potential Problem CVE: CVE-2005-1513 CVE-2005-1514 CVE-2005-1515:
Resolution On 32-bit platforms, [http://www.qmail.org] upgrade to [http://www.qmail.org/netqmail/] netqmail 1.05 or later. netqmail consists of Qmail 1.03 and important patches. On 64-bit platforms, upgrade to netqmail 1.06 or later, which will presumably contain a fix, when available.


for 1, I looked in the specified location, that folder (etc/imapd) did not exist. I found this folder: /etc/courier-imap/imapd.cnf, but in the Debug_Login was set to 0 there. can anyone tell me where to find the configuration file, or how to resolve this issue?
2. how do I find out what version of qmail I am running, and how would I upgrade it to netqmail?

thank you for reading
Debbie Wright
 
Hi Debbie,

For number 1, run the following two commands on your server and send the output to SecurityMetrics :

Command 1 : yum list installed | grep courier-imap
Command 2 : grep DEBUG_LOGIN /etc/courier-imap/imapd

This should be sufficient to prove mitigation.

For number 2, try this (I honestly don't know if this will work, but could do with finding out!) :

Command : yum list installed | grep qmail
Send the output along with the info below :

Qmail is labelled version 1.03 but is a Plesk patched version of qmail, the following links provide the info on the patches applied :
Parallels KB article which contains the link to the archive of patches : http://kb.parallels.com/en/1161
Link to archive of applied qmail patches : http://kb.parallels.com/Attachments/806/Attachments/plesk93_qmail_patches.tgz

We regularly have to provide mitigation for your first issue, but for the 2nd, we've only seen it once before and we've yet to get back confirmation that its mitigation from SecurityMetrics.

If its not then I've got a lot of Plesk's to convert to Postfix :(

Paul.
 
Paul

That worked. they accepted the documentation for both issues without question.
 
Excellent, thanks for letting me know, we're starting to see both of these come up with depressing regularity in the last week or so.
 
Yeah thats just a bad vulnerablity scanner there for the 2nd issue. Its working off a pure banner grab to determine the version.
 
Yeah, I don't like doing it because its against the spirit of compliance but I'm going to see if there's a way to block giving out the versions for both, in which case they'll just pass. We know (at least as of right now) that the issue is not there, and its additional work for all involved to have to submit mitigation.

Still... I find SecurityMetrics to be one of the better PCI Compliance scanners simply because their notifications are not deliberately vague or incomprehensible.
 
PCI compliance

Hi All, I have the following issue, have you been able to resolve this?

Protocol Port Program Risk Summary
TCP 25 smtp 5 Description: possible vulnerability in Qmail Severity: Potential Problem CVE: CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 Impact: The vulnerability can be exploited to crash the current SMTP process and cause denial of service by consuming resources. It is theoretically possible, though considered unlikely, that an attacker could execute arbitrary code. Background: Qmail is an open-source SMTP server. It was designed to be a secure replacement for sendmail/binmail. Resolution On 32-bit platforms, [http://www.qmail.org] upgrade to [http://www.qmail.org/netqmail/] netqmail 1.05 or later. netqmail consists of Qmail 1.03 and important patches. On 64-bit platforms, upgrade to netqmail 1.06 or later, which will presumably contain a fix, when available. Vulnerability Details: Service: smtp
 
Hello, Gents.

Mentioned in #2 vulnerabilities have been fixed in qmail shipped by Plesk for many years ago.

Updated qmail with hidden version will be delivered with further Plesk updates soon.
 
As a follow up suggestion there, referencing the CVE inside the %changelog of the rpm package is the standard for documenting backported fixes. Additionally doing that allows you to can directly reference a fix using the yum security plugin with the --cve, --security, --bz, and --advisory flags.
 
Back
Top