• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

PCI Compliance - courier imap,netqmail

S

snowfire

Guest
Hi,
I'm new to plesk, and php/linux, and I need some guidance regarding two pci issues a client has.
first, I have read and implemented the plesk pci guide.
my server is as follows (media temple hosted, new dv 4.0 server):

Version Parallels Plesk Panel v10.3.1_build1012110812.15 os_CentOS 5
OS Linux 2.6.18-028stab093.2
I have two outstanding issues that Security metrics has identified:
1. Description: possible format string vulnerability in Courier IMAP Severity:
Resolution: Upgrade to Courier IMAP 3.0.4 or higher, or set DEBUG_LOGIN equal to the default value of 0 in the IMAP configuration file, which is typically located in /usr/lib/courier-imap/etc/imapd
2. Description: possible vulnerability in Qmail Severity: Potential Problem CVE: CVE-2005-1513 CVE-2005-1514 CVE-2005-1515:
Resolution On 32-bit platforms, [http://www.qmail.org] upgrade to [http://www.qmail.org/netqmail/] netqmail 1.05 or later. netqmail consists of Qmail 1.03 and important patches. On 64-bit platforms, upgrade to netqmail 1.06 or later, which will presumably contain a fix, when available.


for 1, I looked in the specified location, that folder (etc/imapd) did not exist. I found this folder: /etc/courier-imap/imapd.cnf, but in the Debug_Login was set to 0 there. can anyone tell me where to find the configuration file, or how to resolve this issue?
2. how do I find out what version of qmail I am running, and how would I upgrade it to netqmail?

thank you for reading
Debbie Wright
 
Hi Debbie,

For number 1, run the following two commands on your server and send the output to SecurityMetrics :

Command 1 : yum list installed | grep courier-imap
Command 2 : grep DEBUG_LOGIN /etc/courier-imap/imapd

This should be sufficient to prove mitigation.

For number 2, try this (I honestly don't know if this will work, but could do with finding out!) :

Command : yum list installed | grep qmail
Send the output along with the info below :

Qmail is labelled version 1.03 but is a Plesk patched version of qmail, the following links provide the info on the patches applied :
Parallels KB article which contains the link to the archive of patches : http://kb.parallels.com/en/1161
Link to archive of applied qmail patches : http://kb.parallels.com/Attachments/806/Attachments/plesk93_qmail_patches.tgz

We regularly have to provide mitigation for your first issue, but for the 2nd, we've only seen it once before and we've yet to get back confirmation that its mitigation from SecurityMetrics.

If its not then I've got a lot of Plesk's to convert to Postfix :(

Paul.
 
Paul

That worked. they accepted the documentation for both issues without question.
 
Excellent, thanks for letting me know, we're starting to see both of these come up with depressing regularity in the last week or so.
 
Yeah thats just a bad vulnerablity scanner there for the 2nd issue. Its working off a pure banner grab to determine the version.
 
Yeah, I don't like doing it because its against the spirit of compliance but I'm going to see if there's a way to block giving out the versions for both, in which case they'll just pass. We know (at least as of right now) that the issue is not there, and its additional work for all involved to have to submit mitigation.

Still... I find SecurityMetrics to be one of the better PCI Compliance scanners simply because their notifications are not deliberately vague or incomprehensible.
 
PCI compliance

Hi All, I have the following issue, have you been able to resolve this?

Protocol Port Program Risk Summary
TCP 25 smtp 5 Description: possible vulnerability in Qmail Severity: Potential Problem CVE: CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 Impact: The vulnerability can be exploited to crash the current SMTP process and cause denial of service by consuming resources. It is theoretically possible, though considered unlikely, that an attacker could execute arbitrary code. Background: Qmail is an open-source SMTP server. It was designed to be a secure replacement for sendmail/binmail. Resolution On 32-bit platforms, [http://www.qmail.org] upgrade to [http://www.qmail.org/netqmail/] netqmail 1.05 or later. netqmail consists of Qmail 1.03 and important patches. On 64-bit platforms, upgrade to netqmail 1.06 or later, which will presumably contain a fix, when available. Vulnerability Details: Service: smtp
 
Hello, Gents.

Mentioned in #2 vulnerabilities have been fixed in qmail shipped by Plesk for many years ago.

Updated qmail with hidden version will be delivered with further Plesk updates soon.
 
As a follow up suggestion there, referencing the CVE inside the %changelog of the rpm package is the standard for documenting backported fixes. Additionally doing that allows you to can directly reference a fix using the yum security plugin with the --cve, --security, --bz, and --advisory flags.
 
You must log in or register to reply here.

Similar threads

P
Issue Can kernel be updated in Centos without breaking Plesk.
Replies
2
Views
2K
Bitpalast
Bitpalast
D
PCI compliance still fails due to SSL Renegotiation DoS vulnerability in Qmail/IMAP
Replies
2
Views
3K
DragonAss
D
D
PCI Compliance Issues
Replies
2
Views
2K
Jllynch
Jllynch
nethubonline
Plesk 11.5.30 bug - courier-imap module "authpsa"
2
Replies
24
Views
14K
Thomas-ReinerR
T
L
PCI Compliance - Plesk on Ubuntu 8.04 LTS
Replies
0
Views
2K
LloydD
L
Back
Top