Re: Roundcube
El 8/9/23 a les 0:50, jeremy ardley via dovecot ha escrit: On 8/9/23 05:00, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store. A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service. For economy, you could do this on the same machine using a small virtual server to run roundcube +1 -- Narcis Garcia __ I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 8/9/23 07:38, dovecot--- via dovecot wrote: Roundcube does not have direct file access to the emails even on the same server. Roundcube opens a connection to dovecot, supplies the user/pass/login credentials to dovecot, and dovecot fetches the email stores and serves it to roundcube. There is nothing a hacker can gain access to by exploiting roundcube that they also couldn't get in the same scenario if roundcube and dovecot were on two different machines. -- The scenario you describe does not consider a breach of the web mail service that allows root access to the file system. If the web service is compromised to that extent then the mail file store is also compromised. If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it. When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well This article describes the concept https://www.fortinet.com/resources/cyberglossary/what-is-dmz ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Any known issues with installing/running roundcube and dovecot on the same server? There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store. A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service. For economy, you could do this on the same machine using a small virtual server to run roundcube I disagree with this, and that is what user/group/permissions are for. Roundcube does not have direct file access to the emails even on the same server. Roundcube opens a connection to dovecot, supplies the user/pass/login credentials to dovecot, and dovecot fetches the email stores and serves it to roundcube. There is nothing a hacker can gain access to by exploiting roundcube that they also couldn't get in the same scenario if roundcube and dovecot were on two different machines. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 8/9/23 05:00, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store. A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service. For economy, you could do this on the same machine using a small virtual server to run roundcube ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On Thu, Sep 07, 2023 at 05:00:51PM -0400, joe a wrote: > Any known issues with installing/running roundcube and dovecot on the same > server? > No! ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org -- Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Manitoba on 3 Oct 2023 vote Liberal! Beware https://mindspring.com ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Thanks. On 9/7/2023 17:09:25, robert k Wild wrote: Simple answer is no issues at all, I've done it all on the same server and my server has Postfix, dovecote and roundcube On Thu, 7 Sept 2023, 22:05 joe a, wrote: Any known issues with installing/running roundcube and dovecot on the same server? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 9/7/23 17:00, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? I'm running two such installations; no difficulty. -Dave -- Dave McGuire, AK4HZ New Kensington, PA ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
Simple answer is no issues at all, I've done it all on the same server and my server has Postfix, dovecote and roundcube On Thu, 7 Sept 2023, 22:05 joe a, wrote: > Any known issues with installing/running roundcube and dovecot on the > same server? > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Roundcube
Any known issues with installing/running roundcube and dovecot on the same server? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
> On 07/09/2023 20:46 EEST Ralph Seichter via dovecot > wrote: > > > * Aki Tuomi via dovecot: > > > I updated the settings a bit on the server as well. Maybe it works > > better now? > > Yes, it does indeed: > > Sep 7 19:33:23 ra postfix/smtp[14429]: Trusted TLS connection established > to talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25: TLSv1.3 with > cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) > server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature > ECDSA (secp384r1) client-digest SHA384 > Sep 7 19:33:24 ra postfix/smtp[14429]: 1989FBE002A: > to=, > relay=talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25, delay=4.3, > delays=0.01/0.01/3.6/0.73, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as > D22D55DEF4) > > Thank you, Aki. Would you be willing to share what was changed in your > server's settings and/or certificates? I am still wondering what exactly > caused the issue. By the way, I have reverted all TLS-related changes > previously used for testing on my end, returning to Postfix's defaults. > > -Ralph Mostly just disabled older TLS stuff and in particular enabled TLSv1.3. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
* Aki Tuomi via dovecot: > I updated the settings a bit on the server as well. Maybe it works > better now? Yes, it does indeed: Sep 7 19:33:23 ra postfix/smtp[14429]: Trusted TLS connection established to talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384 Sep 7 19:33:24 ra postfix/smtp[14429]: 1989FBE002A: to=, relay=talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25, delay=4.3, delays=0.01/0.01/3.6/0.73, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D22D55DEF4) Thank you, Aki. Would you be willing to share what was changed in your server's settings and/or certificates? I am still wondering what exactly caused the issue. By the way, I have reverted all TLS-related changes previously used for testing on my end, returning to Postfix's defaults. -Ralph ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
> On 07/09/2023 03:49 EEST Ralph Seichter via dovecot > wrote: > > > * Marc Schiffbauer via dovecot: > > > Wild guess: you need to explicitely allow for example DEFAULT@SECLEVEL=0 > > ciphersuite in postfix to make *your* openssl accept this remote sslv3 > > connection > > Thanks, Marc. I had thought about this, and have tried various Postfix > parameters related to TLS ciphers and protocols. So far, no dice. In the > meantime, I also ran tests using Swaks, and this resulted in a possible > different route of investigation: Postfix uses a certificate issued by > Let's Encrypt (secp384r1) for both in- and outbound connections with > STARTTLS. If I use the same certificate with Swaks, I see the same error > as I do with Postfix. If I use Swaks *without* specifying a local TLS > certificate, the STARTTLS handshake works: > > === Trying talvi.dovecot.org:25... > === Connected to talvi.dovecot.org. > <- 220 talvi.dovecot.org ESMTP Postfix (Debian/GNU) >-> EHLO ra.horus-it.com > <- 250-talvi.dovecot.org > <- 250-PIPELINING > <- 250-SIZE 104857600 > <- 250-ETRN > <- 250-STARTTLS > <- 250-ENHANCEDSTATUSCODES > <- 250-8BITMIME > <- 250-DSN > <- 250 CHUNKING >-> STARTTLS > <- 220 2.0.0 Ready to start TLS > === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > === TLS no local certificate set > === TLS peer DN="/CN=talvi.dovecot.org" > > Looks the combination of certificate ciphers and OpenSSL library > versions on my end and on the talvi.dovecot.org end is causing some > bother. The original error message points to a protocol issue, not a > cipher problem, and how SSLv3 gets into the mix is anybody's guess. > Perhaps I'll see clearer after some much needed sleep. > > -Ralph I updated the settings a bit on the server as well. Maybe it works better now? Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org