Any known issues with installing/running roundcube and dovecot on the same server?
Simple answer is no issues at all, I've done it all on the same server and my server has
Postfix, dovecote and roundcube
On Thu, 7 Sept 2023, 22:05 joe a, <joea-lists@j4computers.com> wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Thanks.
On 9/7/2023 17:09:25, robert k Wild wrote:
Simple answer is no issues at all, I've done it all on the same server and my server has
Postfix, dovecote and roundcube
On Thu, 7 Sept 2023, 22:05 joe a, <joea-lists@j4computers.com> wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On Thu, Sep 07, 2023 at 05:00:51PM -0400, joe a wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
No!
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Manitoba on 3 Oct 2023 vote Liberal! Beware https://mindspring.com
On 8/9/23 05:00, joe a wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store.
A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service.
For economy, you could do this on the same machine using a small virtual server to run roundcube
Any known issues with installing/running roundcube and dovecot on the same server?
There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store.
A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service.
For economy, you could do this on the same machine using a small virtual server to run roundcube
I disagree with this, and that is what user/group/permissions are for.
Roundcube does not have direct file access to the emails even on the same server. Roundcube opens a connection to dovecot, supplies the user/pass/login credentials to dovecot, and dovecot fetches the email stores and serves it to roundcube. There is nothing a hacker can gain access to by exploiting roundcube that they also couldn't get in the same scenario if roundcube and dovecot were on two different machines.
On 8/9/23 07:38, dovecot--- via dovecot wrote:
Roundcube does not have direct file access to the emails even on the same server. Roundcube opens a connection to dovecot, supplies the user/pass/login credentials to dovecot, and dovecot fetches the email stores and serves it to roundcube. There is nothing a hacker can gain access to by exploiting roundcube that they also couldn't get in the same scenario if roundcube and dovecot were on two different machines.
The scenario you describe does not consider a breach of the web mail service that allows root access to the file system.
If the web service is compromised to that extent then the mail file store is also compromised.
If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it.
When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well
This article describes the concept
https://www.fortinet.com/resources/cyberglossary/what-is-dmz
On 2023-09-08, jeremy ardley via dovecot wrote:
The scenario you describe does not consider a breach of the web mail service that allows root access to the file system.
If the web service is compromised to that extent then the mail file store is also compromised.
If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it.
When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well
But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter.
El 8/9/23 a les 10:07, Michel Verdier ha escrit:
On 2023-09-08, jeremy ardley via dovecot wrote:
The scenario you describe does not consider a breach of the web mail service that allows root access to the file system.
If the web service is compromised to that extent then the mail file store is also compromised.
If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it.
When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well
But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter.
In a webmail-only container, the only information attacker can reach gaining root permissions is what Roundcube stores:
- Logged-in account preferences (identifying used usernames)
- Data cache
MDA/IMAP server stores full mailboxes data, nor full accounts directory. IMAP-only users are not compromised because of a remote webmail breach.
Another reason to separate software can be maintenance organisation:
- Separate administrators
- Update/upgrade OS as needed by one service but not the other
--
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors.
On 2023-09-08, jeremy ardley via dovecot wrote:
The scenario you describe does not consider a breach of the web mail service that allows root access to the file system.
If the web service is compromised to that extent then the mail file store is also compromised.
If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it.
When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well
But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter.
Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root. You can even run the webserver without root, because you only need binding the low port linux capability. So if your webserver process does not even run root, how can it gain it?
On 8/9/23 16:24, Marc wrote:
Since when does a hacked website gain root?
A web search on 'linux web server exploits that gain root' will give many examples.
Security design by first principle assumes that an attacker will gain root access.
Best practise is to limit the damage that can cause. The usual way to limit it is put all public facing systems in a DMZ and have a very carefully controlled access from them to an internal priavte network. The access control is performed by systems that cannot be controlled by a breached public facing server. e.g. router firewalls,.
A web search on 'linux web server exploits that gain root' will give many examples.
No, not. And you better get your info for this type of stuff from cve websites or apache vulnerability list.
Security design by first principle assumes that an attacker will gain root access.
I would not know. Logical deduction of the topic question 'when roundcube gets hacked' does not include all this.
The OP is correct with his question. The risk of having an undetected exploit in roundcube code is probably >10000x than something with the webserver software.
Best practise is to limit the damage that can cause. The usual way to limit it is put all public facing systems in a DMZ and have a very carefully controlled access from them to an internal priavte network. The access control is performed by systems that cannot be controlled by a breached public facing server. e.g. router firewalls,.
How does stating something so obvious but irrelevant contribute?
On 2023-09-08, Marc wrote:
Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root.
I was responding to jeremy ardley considering root access gained.
Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation
Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root.
I was responding to jeremy ardley considering root access gained.
Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation
This link is crap, did you even read a few items on this page? Put then a link to the apache httpd root access.
Fact still remains that nobody here on this list has eternal life nor eternal resources, so you would be stupid to focus on your webserver root access exploit instead of roundcube.
Next to that, it is more common these days to use containers so there is not even a webserver that runs root.
El 8/9/23 a les 11:59, Marc ha escrit:
Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root.
I was responding to jeremy ardley considering root access gained.
Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation
This link is crap, did you even read a few items on this page? Put then a link to the apache httpd root access.
Fact still remains that nobody here on this list has eternal life nor eternal resources, so you would be stupid to focus on your webserver root access exploit instead of roundcube.
Next to that, it is more common these days to use containers so there is not even a webserver that runs root.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
If roundcube/dovecot is in discussion, we can't assume the rest of environment i secure and well-configured: Webserver, Kernel, DB server, etc. Then we need to work on good measures to not rely on "everything will be optimal because everybody did a good job".
And we can't assume Rouncube is perfect, same as Dovecot. Give time to time.
--
I'm using this express-made address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors.
El 8/9/23 a les 0:50, jeremy ardley via dovecot ha escrit:
On 8/9/23 05:00, joe a wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store.
A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service.
For economy, you could do this on the same machine using a small virtual server to run roundcube
+1
--
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors.
I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have:
- Enabled and configured selinux on that machine,
- Enabled mail-crypt plugin with user keys in dovecot.
This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server.
Am I right? :)
Am Freitag, dem 08.09.2023 um 06:50 +0800 schrieb jeremy ardley via dovecot:
On 8/9/23 05:00, joe a wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store.
A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service.
For economy, you could do this on the same machine using a small virtual server to run roundcube
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
Robert Senger
On 2023-09-08, Robert Senger wrote:
I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have:
- Enabled and configured selinux on that machine,
yes selinux is a must have
- Enabled mail-crypt plugin with user keys in dovecot.
This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server.
mail-crypt is useful if attacker get access to the mails but not to the keys. If you store mails on the same system it's useless
I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have:
- Enabled and configured selinux on that machine,
- Enabled mail-crypt plugin with user keys in dovecot.
This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server.
That depends on your selinux rules. If you want to go a little further. Use podman/docker to run roundcube and run it as a seperate user and give the container bind low port capabilities. I think docker/podman support this. Just in case juse separate uids with containers.
There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store.
No this is crap. user/group is are preventing this. The only risk you have when roundcube is hacked is that any user logging after this hack, his mailbox can be accessed (grabbed userid/passwd). So users not even using this roundcube have no problem at all.
Hi Joe,
The only issue I had, is that for cryptic reasons (FreeBSD 13-STABLE) "localhost" did not resolve, I had too replace it with "127.0.0.1" But YMMV
Regards,
Xavier
Le 9/7/23 23:00, joe a a écrit :
Any known issues with installing/running roundcube and dovecot on the same server?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- Xavier HUMBERT <xavier@xavierhumbert.net> 2 rue des Patureaux 54460 AINGERAY / FRANCE Tél +33 6 71 17 29 07 Dom +33 9 51 00 37 63
On 9/7/2023 17:00:51, joe a wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Placing roundcube on its own server was one consideration, security breach being one concern.
Interesting to see such differing opinions.
joe a.
participants (11)
-
Dave McGuire
-
dovecot@ptld.com
-
jeremy ardley
-
joe a
-
Marc
-
Michel Verdier
-
Narcis Garcia
-
robert k Wild
-
Robert Senger
-
The Doctor
-
Xavier Humbert