VestaCP + Exim + php mail function security issue? Topic is solved

[securetunnel]

VestaCP seems to install the mail system with an implicit "trust" of localhost. The php mail() function will use localhost (as will roundcube then by default) and this doesn't require authentication of a local user to send mail.

The issue with this, is that if you are hosting a website on the same installation, and that website gets hacked with a php shell or other (happens to wordpress, joomla, drupal all the time) then that exploit can turn your vestaCP installation into a spam generator as your hacked site can make use of the php mail() function and send mail at will without authentication.

We got around this by requiring auth to smtp (exim) through the whole system:

1) Point /usr/sbin/sendmail to /dev/null
2) Configure /etc/roundcubemail/main.inc.php --> SMTP section, to use localhost, port (25 or 587), and the %u/%p values for username and password so that your authenticated user to webmail (roundcube) is actually authenticating to SMTP locally even when using webmail.

We had several instances of hacked websites that were able to make use of the default 'localhost-can-send-without-auth' configuration.

Suggest in future releases of VestaCP that exim/sendmail be COMPLETELY locked down so that even sending from LOCALHOST requires auth.

[abad]

I don't think that any other panels restrict that, since it makes it much less user friendly.

[AdamiPL]

I don't think that any other panels restrict that, since it makes it much less user friendly.

this must be safe, not user friendly

[Vladimir Chanaev]

Confirm.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.

[Vladimir Chanaev]

Code: Select all

1)  /usr/sbin/sendmail -v -d < /dev/null

Code: Select all

2)  nano /etc/roundcube/main.inc.php

$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';

Correct? Plz confirm. Thanks!

[alexare]

Confirm.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.

I was the same issue also - spamassassin fails after 5-10 minutes; and the bug came from a wordpress site installed on my server

[alexare]

Code: Select all

1)  /usr/sbin/sendmail -v -d < /dev/null

Code: Select all

2)  nano /etc/roundcube/main.inc.php

$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';

Correct? Plz confirm. Thanks!

This didnt work for me; i am running a Centos 6.7
nano /etc/roundcubemail/main.inc.php worked

but cant point to /dev/null

[Vladimir Chanaev]

but cant point to /dev/null

Click EDIT on your Mail Account in MAIL section of Vesta CP and edit Catchall email: /dev/null
I think its the same but not sure.

[a1war]

I don't have any /etc/roundcube/main.inc.php

Those are the files that I have in /etc/roundcube/ dir:

apache.conf debian-db.php lighttpd.conf
config.inc.php defaults.inc.php mimetypes.php
debian-db-roundcube.php htaccess plugins/

Which one I should update?

[auraputih]

Method for PHP5.5 and before
We have to edit sendmail_path in php.ini

Code: Select all

1. nano /etc/php5/apache2/php.ini
2. Edit line sendmail_path = and change into sendmail_path = "/dev/null"
3. Save 

Method for PHP5.6 and after
The newest php version installed on server does not allow global settings (such as execution time, max upload filesize, max post file size, etc.) to be changed.

Folow these steps to resolve the issue:

Code: Select all

1. nano /etc/php5/apache2/conf.d/user.ini
2. Add sendmail_path = "/dev/null" line inside /etc/php5/apache2/conf.d/user.ini 
3. Save
4. Use this ini file for any custom settings. 

Edit Roundcube configuration
After you have changed the setting in php, you have to change the setting in roundcube

Code: Select all

nano /etc/roundcube/main.inc.php

$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';

*Location for Centos php.ini is at /etc/php.ini