We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
VestaCP + Exim + php mail function security issue? Topic is solved
VestaCP + Exim + php mail function security issue?
VestaCP seems to install the mail system with an implicit "trust" of localhost. The php mail() function will use localhost (as will roundcube then by default) and this doesn't require authentication of a local user to send mail.
The issue with this, is that if you are hosting a website on the same installation, and that website gets hacked with a php shell or other (happens to wordpress, joomla, drupal all the time) then that exploit can turn your vestaCP installation into a spam generator as your hacked site can make use of the php mail() function and send mail at will without authentication.
We got around this by requiring auth to smtp (exim) through the whole system:
1) Point /usr/sbin/sendmail to /dev/null
2) Configure /etc/roundcubemail/main.inc.php --> SMTP section, to use localhost, port (25 or 587), and the %u/%p values for username and password so that your authenticated user to webmail (roundcube) is actually authenticating to SMTP locally even when using webmail.
We had several instances of hacked websites that were able to make use of the default 'localhost-can-send-without-auth' configuration.
Suggest in future releases of VestaCP that exim/sendmail be COMPLETELY locked down so that even sending from LOCALHOST requires auth.
The issue with this, is that if you are hosting a website on the same installation, and that website gets hacked with a php shell or other (happens to wordpress, joomla, drupal all the time) then that exploit can turn your vestaCP installation into a spam generator as your hacked site can make use of the php mail() function and send mail at will without authentication.
We got around this by requiring auth to smtp (exim) through the whole system:
1) Point /usr/sbin/sendmail to /dev/null
2) Configure /etc/roundcubemail/main.inc.php --> SMTP section, to use localhost, port (25 or 587), and the %u/%p values for username and password so that your authenticated user to webmail (roundcube) is actually authenticating to SMTP locally even when using webmail.
We had several instances of hacked websites that were able to make use of the default 'localhost-can-send-without-auth' configuration.
Suggest in future releases of VestaCP that exim/sendmail be COMPLETELY locked down so that even sending from LOCALHOST requires auth.
Re: VestaCP + Exim + php mail function security issue?
I don't think that any other panels restrict that, since it makes it much less user friendly.
Re: VestaCP + Exim + php mail function security issue?
this must be safe, not user friendlyabad wrote:I don't think that any other panels restrict that, since it makes it much less user friendly.
-
- Posts: 45
- Joined: Sun Mar 13, 2016 2:21 pm
- Contact:
- Os: Ubuntu 17x
- Web: nginx + php-fpm
Re: VestaCP + Exim + php mail function security issue?
Confirm.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.
-
- Posts: 45
- Joined: Sun Mar 13, 2016 2:21 pm
- Contact:
- Os: Ubuntu 17x
- Web: nginx + php-fpm
Re: VestaCP + Exim + php mail function security issue?
Code: Select all
1) /usr/sbin/sendmail -v -d < /dev/null
Code: Select all
2) nano /etc/roundcube/main.inc.php
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
Re: VestaCP + Exim + php mail function security issue?
I was the same issue also - spamassassin fails after 5-10 minutes; and the bug came from a wordpress site installed on my serverVladimir Chanaev wrote:Confirm.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.
Re: VestaCP + Exim + php mail function security issue?
This didnt work for me; i am running a Centos 6.7Vladimir Chanaev wrote:Code: Select all
1) /usr/sbin/sendmail -v -d < /dev/null
Correct? Plz confirm. Thanks!Code: Select all
2) nano /etc/roundcube/main.inc.php $rcmail_config['smtp_server'] = 'localhost'; $rcmail_config['smtp_user'] = '%u'; $rcmail_config['smtp_pass'] = '%p';
nano /etc/roundcubemail/main.inc.php worked
but cant point to /dev/null
-
- Posts: 45
- Joined: Sun Mar 13, 2016 2:21 pm
- Contact:
- Os: Ubuntu 17x
- Web: nginx + php-fpm
Re: VestaCP + Exim + php mail function security issue?
alexare wrote:Vladimir Chanaev wrote: but cant point to /dev/null
Click EDIT on your Mail Account in MAIL section of Vesta CP and edit Catchall email: /dev/null
I think its the same but not sure.
Re: VestaCP + Exim + php mail function security issue?
I don't have any /etc/roundcube/main.inc.php
Those are the files that I have in /etc/roundcube/ dir:
apache.conf debian-db.php lighttpd.conf
config.inc.php defaults.inc.php mimetypes.php
debian-db-roundcube.php htaccess plugins/
Which one I should update?
Those are the files that I have in /etc/roundcube/ dir:
apache.conf debian-db.php lighttpd.conf
config.inc.php defaults.inc.php mimetypes.php
debian-db-roundcube.php htaccess plugins/
Which one I should update?
Re: VestaCP + Exim + php mail function security issue?
Method for PHP5.5 and before
We have to edit sendmail_path in php.ini
Method for PHP5.6 and after
The newest php version installed on server does not allow global settings (such as execution time, max upload filesize, max post file size, etc.) to be changed.
Folow these steps to resolve the issue:
Edit Roundcube configuration
After you have changed the setting in php, you have to change the setting in roundcube
*Location for Centos php.ini is at /etc/php.ini
We have to edit sendmail_path in php.ini
Code: Select all
1. nano /etc/php5/apache2/php.ini
2. Edit line sendmail_path = and change into sendmail_path = "/dev/null"
3. Save
The newest php version installed on server does not allow global settings (such as execution time, max upload filesize, max post file size, etc.) to be changed.
Folow these steps to resolve the issue:
Code: Select all
1. nano /etc/php5/apache2/conf.d/user.ini
2. Add sendmail_path = "/dev/null" line inside /etc/php5/apache2/conf.d/user.ini
3. Save
4. Use this ini file for any custom settings.
After you have changed the setting in php, you have to change the setting in roundcube
Code: Select all
nano /etc/roundcube/main.inc.php
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';