Re: suitable webmail
Thijssen put forth on 2/9/2010 4:19 AM: - If they like flashy GUI bullshit like HTML-mail and WYSIWYG formatted emails and spam and commerce, then don't use Squirrelmail. - If they focuss on actual text content and plaintext emails (the way it should be), then squirrelmail is your Number One choice, far outweighing all others. It's rock stable and top-secure. Tell me about this top-secure aspect of Squirrelmail again. ;) Received: from mail.afranet.com (mail.afranet.com [80.75.0.13]) by greer.hardwarefreak.com (Postfix) with ESMTP id 1F0AC6C2B9 for s...@hardwarefreak.com; Thu, 11 Feb 2010 07:02:04 -0600 (CST) ... Received: from 78.138.3.237 (SquirrelMail authenticated user test) by mail.afranet.com with HTTP; ... User-Agent: SquirrelMail/1.4.15 ... To: undisclosed-recipients:; ... :::YEAR 2010 E-MAIL AWARDS::: Dear Winner, ... CONTACT HIM WITH YOUR DETAILS, FILL Details BELOW; *** Your Full Name *** Your Address *** Your Country *** Your Phone number *** Your Age(Date of birth) *** Your Gender(Male or Female) *** Your present Occupation *** Your Micros ID ... I get phish and 419 from compromised Sqirrelmail servers at least once or twice a month. I've yet to receive one from a compromised Roundcube, Horde, or SOGo server. Now, in fairness to SM, this probably has as much to do with widespread implementation and poor administration as it does insecure code. It appears the phish sent from the SM server in the example above utilized a test account with a weak or non-existent password. Regarding Jose's comments about his web servers constantly being scanned for Roundcube directories, I see no one else reporting this. I run a Roundcube server and see nothing of the sort. Additionally, scans != compromise or high potential for compromise. I see thousands of scans and login attempts on my ssh and ftp ports monthly. Does that mean that Proftpd and sshd are automatically vulnerable? Because people are scanning them? You made a pretty weak argument against Roundcube with that example. -- Stan
Re: suitable webmail
On 02/12/2010 10:48 AM, Stan Hoeppner wrote: Tell me about this top-secure aspect of Squirrelmail again. ;) User-Agent: SquirrelMail/1.4.15 Spammers regularly phish for ISP account information and then use those credentials to send spam via webmail and SMTP auth. We see this frequently, and it's not directly related to the webmail software in use. -- Ben Winslow winsl...@pa.net
Re: suitable webmail
LuKreme put forth on 2/12/2010 10:08 AM: On 12-Feb-2010, at 08:48, Stan Hoeppner wrote: Tell me about this top-secure aspect of Squirrelmail again. ;) The fact that some spammers are able to get into email accounts and send spam via squirrelmail has nothing to do with the security of squirrelmail itself. In nerely all, if not all, of these cases the account is being compromised due to having a password like password1 or 12345678 If you'd have read past the first line you'd have noticed I said the same thing. ;) -- Stan
Re: suitable webmail
On Mon, Feb 1, 2010 at 16:52, K bharathan kbhara...@gmail.com wrote: of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server It mostly depends on the type of users you have; - If they like flashy GUI bullshit like HTML-mail and WYSIWYG formatted emails and spam and commerce, then don't use Squirrelmail. - If they focuss on actual text content and plaintext emails (the way it should be), then squirrelmail is your Number One choice, far outweighing all others. It's rock stable and top-secure. I use it together with dovecot, postfix, clamav, clamsmtdp, php and apache on debian x64, and it's just splendid. Been using Squirrelmail ever since it appeared in 2000 and won't be going away anytime soon. When it appeared I was really glad it did. Was exactly what I was looking for. My users complained the hell out of me each time I let them test a different webmail engine, and they were right everytime. Squirrelmail is lightweight, loads faster, has no useless plugins nobody really needs and gets the job done. Plus the sqm userbase is huge, solutions to problems are always up for grabs in wikis and mailinglists. Developers are responsive and active too. I'd recommend Squirrelmail. http://squirrelmail.org/wiki/SquirrelMailFeatures Good luck! Julius
Re: suitable webmail
yes i've used and know it's too good; but all those for small number of users; i want to use it at an ISP level; at ISP level i require some addons like quota/autorespond etc..i'll give a try to squirrelmail thanks On Tue, Feb 9, 2010 at 12:19 PM, Thijssen jul...@gmail.com wrote: On Mon, Feb 1, 2010 at 16:52, K bharathan kbhara...@gmail.com wrote: of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server It mostly depends on the type of users you have; - If they like flashy GUI bullshit like HTML-mail and WYSIWYG formatted emails and spam and commerce, then don't use Squirrelmail. - If they focuss on actual text content and plaintext emails (the way it should be), then squirrelmail is your Number One choice, far outweighing all others. It's rock stable and top-secure. I use it together with dovecot, postfix, clamav, clamsmtdp, php and apache on debian x64, and it's just splendid. Been using Squirrelmail ever since it appeared in 2000 and won't be going away anytime soon. When it appeared I was really glad it did. Was exactly what I was looking for. My users complained the hell out of me each time I let them test a different webmail engine, and they were right everytime. Squirrelmail is lightweight, loads faster, has no useless plugins nobody really needs and gets the job done. Plus the sqm userbase is huge, solutions to problems are always up for grabs in wikis and mailinglists. Developers are responsive and active too. I'd recommend Squirrelmail. http://squirrelmail.org/wiki/SquirrelMailFeatures Good luck! Julius
Re: suitable webmail
On Tue, Feb 9, 2010 at 11:43, K bharathan kbhara...@gmail.com wrote: yes i've used and know it's too good; but all those for small number of users; i want to use it at an ISP level; at ISP level i require some addons like quota/autorespond etc..i'll give a try to squirrelmail XS4ALL, the largest Dutch ISP, uses Squirrelmail code for their webmail (https://webmail.xs4all.nl/). You can access and use the existing Quota and Autorespond systems that are out there using squirrelmail.
Re: suitable webmail
On 09/02/2010 10:19, Thijssen wrote: On Mon, Feb 1, 2010 at 16:52, K bharathankbhara...@gmail.com wrote: of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server It mostly depends on the type of users you have; - If they like flashy GUI bullshit like HTML-mail and WYSIWYG formatted emails and spam and commerce, then don't use Squirrelmail. - If they focuss on actual text content and plaintext emails (the way it should be), then squirrelmail is your Number One choice, far outweighing all others. That's not really true. Or, at least, it is true if the only thing that matters about email is the content of each individual message, but it's a false dichotomy to call other functionality flashy GUI bullshit. The biggest weakness of Squirrelmail is that it doesn't support common desktop mail client functions such as drag-and-drop, threading, column sorting, indexed search, spam filtering and preview panes. That makes it considerably less user-friendly than a decent desktop client such as Thunderbird, particularly for high-volume mail users. As a lightweight webmail client, to be used as an infrequent alternative to a desktop client (eg, for collecting your mail when out and about with only web access), Squirrelmail is perfectly adequate for most users. But for day-to-day use as a long-term replacement for a desktop client, or for any user who gets a much larger than normal volume of mail, it's too lacking in functionality. That's what more full-featured webmail clients, such as Horde and Roundcube, are trying to address, albeit at the cost of additional complexity from a sysadmin perspective. As an administrator, therefore, you need to find out what your users actually need before deciding on what webmail client to provide them. And it isn't just about flashy GUI bullshit, it's about real features that make a practical difference for people with different requirements. Mark
RE: suitable webmail
On 2010-02-09, Thijssen wrote: On Tue, Feb 9, 2010 at 11:43, K bharathan kbhara...@gmail.com wrote: yes i've used and know it's too good; but all those for small number of users; i want to use it at an ISP level; at ISP level i require some addons like quota/autorespond etc..i'll give a try to squirrelmail XS4ALL, the largest Dutch ISP, uses Squirrelmail code for their webmail (https://webmail.xs4all.nl/). You can access and use the existing Quota and Autorespond systems that are out there using squirrelmail. However, their new (but perhaps still experimental) webmail server uses roundcube: https://roundcube.xs4all.nl/
Re: suitable webmail
On Tue, Feb 9, 2010 at 12:28, Mark Goodge m...@good-stuff.co.uk wrote: As a lightweight webmail client, to be used as an infrequent alternative to a desktop client (eg, for collecting your mail when out and about with only web access), Squirrelmail is perfectly adequate for most users. I use it for huge amounts of mail, huge attachments, even for viewing flashy HTML bullshit mail and sorting mail by sender string etc. How it handles larger folders depends on the IMAP server you use. Try dovecot on servers with SSD, configure it wisely and you'll never need more than Squirrelmail. But for day-to-day use as a long-term replacement for a desktop client, or for any user who gets a much larger than normal volume of mail, What do you mean by that? it's too lacking in functionality. That's what more full-featured webmail clients, such as Horde and Roundcube, are trying to address, albeit at the cost of additional complexity from a sysadmin perspective. Plus at the cost of speed and responsiveness for the majority of users who don't require fancy features. I suspect you're not aware of the Plugins that are available for squirrelmail; http://squirrelmail.org/plugins.php webmail client to provide them. And it isn't just about flashy GUI bullshit, it's about real features that make a practical difference for people with different requirements. What appears to be the most important complaint I get from users is summed up by this; I don't care about nice looking buttons or 3D Windows and all that crap, I just want a working and reliable e-mail client. One that doesn't reformat messages. No HTML and no annoying popups. and they all detest Outlook and Outlook Express (and Exchange webmail) as well, so that might illustrate the types of users that prefer Squirrelmail. But saying they don't handle large volumes of mail is a weird assumption to say the least. I'd say the average user box I maintain squirrelmail-thunderbird for recieves about 80 emails daily, and their Mail folders are around 6 GB in size per user. Julius
Re: suitable webmail
On 09/02/2010 11:53, Thijssen wrote: On Tue, Feb 9, 2010 at 12:28, Mark Goodgem...@good-stuff.co.uk wrote: But for day-to-day use as a long-term replacement for a desktop client, or for any user who gets a much larger than normal volume of mail, What do you mean by that? Hundreds, or even thousands, of messages a day. it's too lacking in functionality. That's what more full-featured webmail clients, such as Horde and Roundcube, are trying to address, albeit at the cost of additional complexity from a sysadmin perspective. Plus at the cost of speed and responsiveness for the majority of users who don't require fancy features. Indeed. That's why you have to provide what your users need. Squirrelmail suits some users. Roundcube or Horde suit others. There is no one size that fits all. What appears to be the most important complaint I get from users is summed up by this; I don't care about nice looking buttons or 3D Windows and all that crap, I just want a working and reliable e-mail client. One that doesn't reformat messages. No HTML and no annoying popups. and they all detest Outlook and Outlook Express (and Exchange webmail) as well, so that might illustrate the types of users that prefer Squirrelmail. Possibly, although there are different reasons for detesting OE and Outlook. OE and Outlook are crap desktop clients; most experienced high-volume mail users prefer better clients such as Thunderbird. If your users also detest Thunderbird, then yes, Squirrelmail is probably right up their street. But if they like Thunderbird, then they'll probably find Squirrelmail rather limited by comparison. But saying they don't handle large volumes of mail is a weird assumption to say the least. I'd say the average user box I maintain squirrelmail-thunderbird for recieves about 80 emails daily, and their Mail folders are around 6 GB in size per user. 80 would be a very low figure for the type of use I'm thinking of. The people I know who complain about Squirrelmail's limitations generally get several hundred emails a day. Mark
Re: suitable webmail
On 09/02/2010 16:00, Jose Ildefonso Camargo Tolosa wrote: Possibly, although there are different reasons for detesting OE and Outlook. OE and Outlook are crap desktop clients; most experienced high-volume mail users prefer better clients such as Thunderbird. If your users also detest Thunderbird, then yes, Squirrelmail is probably right up their street. But if they like Thunderbird, then they'll probably find Squirrelmail rather limited by comparison. ... it depends, if you use squirrelmail, you will be able to read your mail using any phone using operamini, that's a neat feature. Yes, and that's an important consideration when choosing a webmail client. It's very difficult to make a webmail cient work equally well as a mobile client and as a replacement for a desktop client. 80 would be a very low figure for the type of use I'm thinking of. The people I know who complain about Squirrelmail's limitations generally get several hundred emails a day. Please, just tell me: what does the volume of mail has to do with the webmail client? I mean, I could get 1000 mails at once, and squirrel would just show me the latest when I refresh the page: no delays, no problems, also felamimail (egroupware), and IMP (horde) so, what do you want a mail client to do with your 1000's mails? read them for you and parse them, so that you get the most important first I mean, there is no web client that do that, and if you really need to do something like that, use dovecot and sieve!. Any client-side filtering for 1000's of mails a day, could be slow, unless it is a desktop client. The main issues with large volumes of mail are being able to visually scan through it using a preview pane instead of having to step through each message in turn, and being able to mass-move multiple emails by click-select and drag-and-drop. These are things that are easy to implement on a desktop client, but hard to do on a webmail client. Also, for list mail, threading is an essential feature for many people (including myself), and a client (either desktop or web) that doesn't support it is simply too non-functional to be used except as a backup. Mark
Re: suitable webmail
Hi! On Tue, Feb 9, 2010 at 11:44 AM, Mark Goodge m...@good-stuff.co.uk wrote: On 09/02/2010 16:00, Jose Ildefonso Camargo Tolosa wrote: Possibly, although there are different reasons for detesting OE and Outlook. OE and Outlook are crap desktop clients; most experienced high-volume mail users prefer better clients such as Thunderbird. If your users also detest Thunderbird, then yes, Squirrelmail is probably right up their street. But if they like Thunderbird, then they'll probably find Squirrelmail rather limited by comparison. ... it depends, if you use squirrelmail, you will be able to read your mail using any phone using operamini, that's a neat feature. Yes, and that's an important consideration when choosing a webmail client. It's very difficult to make a webmail cient work equally well as a mobile client and as a replacement for a desktop client. 80 would be a very low figure for the type of use I'm thinking of. The people I know who complain about Squirrelmail's limitations generally get several hundred emails a day. Please, just tell me: what does the volume of mail has to do with the webmail client? I mean, I could get 1000 mails at once, and squirrel would just show me the latest when I refresh the page: no delays, no problems, also felamimail (egroupware), and IMP (horde) so, what do you want a mail client to do with your 1000's mails? read them for you and parse them, so that you get the most important first I mean, there is no web client that do that, and if you really need to do something like that, use dovecot and sieve!. Any client-side filtering for 1000's of mails a day, could be slow, unless it is a desktop client. The main issues with large volumes of mail are being able to visually scan through it using a preview pane instead of having to step through each message in turn, and being able to mass-move multiple emails by click-select and drag-and-drop. These are things that are easy to implement on a desktop client, but hard to do on a webmail client. Also, for list mail, threading is an essential feature for many people (including myself), and a client (either desktop or web) that doesn't support it is simply too non-functional to be used except as a backup. As for threading: it depends on the imap server: http://squirrelmail.org/wiki/SquirrelMailFeatures --- the question: Can I view my mail list in threaded view? , look at it. Ildefonso
Re: suitable webmail
On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote: 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similar And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure. How many servers have you had be compromised by roundcube installs? (I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough.
Re: suitable webmail
Hi! On Tue, Feb 9, 2010 at 1:47 PM, LuKreme krem...@kreme.com wrote: On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote: 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similar And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure. SSH bots are brute force attempts. It means nothing about the security of ssh itself. How many servers have you had be compromised by roundcube installs? I don't use roundcube. So: No. (I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough. Usual cause: lack of updates, the question is, sometimes: the response time to get the issues solved. The thing is: I'm currently avoiding roundcube, for the same reason why I used to avoid bind: bad security history. It looks like a really promising project, and if they keep up the good work, they will become a really, really good webmail system, and not just nice, but also secure.
Re: [OT] suitable webmail
K bharathan put forth on 2/2/2010 10:49 AM: thanks for all On Tue, Feb 2, 2010 at 6:05 PM, Carlos Williams carlosw...@gmail.comwrote: On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus cmar...@media-brokers.com wrote: On 2010-02-01 7:17 PM, Stan Hoeppner wrote: All of that said, I don't find I'm lacking any functionality with my current version of Roundcube. Then you haven't looked at it... the new features are really nice... I just installed 0.3.1 from Lenny backports, up from 0.2.2, and in brief testing I don't really notice any significant new features. I still don't see a reply to list option, which would be nice. What should I be looking for, and where? Sorry to drudge up an old OT topic. I'm cc'ing the roundcube list so we can move this discussion over there. -- Stan
Re: [OT] suitable webmail
Hi! Sorry for keeping the off-topic... but I had to answer On Mon, Feb 1, 2010 at 4:35 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Kay put forth on 2/1/2010 11:49 AM: In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. Me too, not just on DCs, even home (DSL dynamic) IPs, these are bots scanning, and I have found A LOT of roundcube-targeted scans. I have found lots of access attempts on *all* of the servers I have access to: more than 10 of them, on different geographical locations. I think you're making some incorrect assumptions. Squirrelmail has had a pretty abysmal security track record of its own over the years. One reason for that is True: really old ones. probably exactly what you're calling out Roundcube for here, which has nothing to do with the software, but the administration of the system. That said, you appear to think the world runs on Red Hat, and if Red Hat doesn't have a Roundcube package, admins will install from source or an external RPM that doesn't get updated by Red Hat's uptodate or whatever it's called. The world doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other) packages up to date. For instance, I do security updates on my Debian servers once a week. My Roundcube package is currently up to date, and it is a standard Debian package: I use Debian too. That said, it's not the only webmail client (or any other web app) that gets the installneglect treatment, it's just the one most frequently exploited. Do you have any empirical data showing that Roundcube is exploited more often today than Squirrelmail? Claims like this really need to be backed up. Data for only your data center doesn't count, the sample size is way too small. This is called anecdotal evidence, not empirical evidence. Ok, you want a sample: 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similars, and none of them included scans for squirrelmail-related files. My sample size: around 20 servers on ~4 different geographical locations. One of the servers gets hits constantly by scans looking for files like roundcube/something and roundcube3/something (yes, 3, I don't know why, it should be 0.3), and roundcoube0.2/something and so on. I have never ever used roundcube, because I studied a little about it, and found that it was still too young, I mean: it needs to grow as a project to get to a point where major security issues gets uncommon. The other case: my own PC, I have a test web server there, and it have been hit by these *scans* a lot and it has a dynamic IP... I recently decided to block the port 80 from outside, and only open it when I need it to be accessed from outside (it just gets annoying). Once again, sorry about off-topic, but this is an interesting discussion, Sincerely, Ildefonso Camargo
Re: [OT] suitable webmail
On 2010-02-01 7:17 PM, Stan Hoeppner wrote: All of that said, I don't find I'm lacking any functionality with my current version of Roundcube. Then you haven't looked at it... the new features are really nice...
Re: [OT] suitable webmail
On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus cmar...@media-brokers.com wrote: On 2010-02-01 7:17 PM, Stan Hoeppner wrote: All of that said, I don't find I'm lacking any functionality with my current version of Roundcube. Then you haven't looked at it... the new features are really nice... I would say this is getting pretty off-topic for Postfix discussion. It looks like most agree that RoundCube, Squirrelmail, or Horde are great applications and it's up to you to decide which works best for your needs. Good luck!
Re: [OT] suitable webmail
thanks for all On Tue, Feb 2, 2010 at 6:05 PM, Carlos Williams carlosw...@gmail.comwrote: On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus cmar...@media-brokers.com wrote: On 2010-02-01 7:17 PM, Stan Hoeppner wrote: All of that said, I don't find I'm lacking any functionality with my current version of Roundcube. Then you haven't looked at it... the new features are really nice... I would say this is getting pretty off-topic for Postfix discussion. It looks like most agree that RoundCube, Squirrelmail, or Horde are great applications and it's up to you to decide which works best for your needs. Good luck!
Re: suitable webmail
On Mon, Feb 1, 2010 at 10:52 AM, K bharathan kbhara...@gmail.com wrote: hi all of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server i'd also have it configured for user soft quota guidance appreciated Postfix is not the POP/IMAP server. Postfix is the MTA generally for SMTP. IMAP and POP are handled by popular daemons such as Dovecot and Courier. 95% of the responses will be Squirrelmail. http://squirrelmail.org/ I recommend and prefer Roundcube. http://roundcube.net/ Both have great Postfix / Dovecot integration.
Re: suitable webmail
Le Lundi 1 Février 2010 10:04:20, Carlos Williams a écrit : On Mon, Feb 1, 2010 at 10:52 AM, K bharathan kbhara...@gmail.com wrote: hi all of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server i'd also have it configured for user soft quota guidance appreciated Postfix is not the POP/IMAP server. Postfix is the MTA generally for SMTP. IMAP and POP are handled by popular daemons such as Dovecot and Courier. 95% of the responses will be Squirrelmail. http://squirrelmail.org/ I recommend and prefer Roundcube. http://roundcube.net/ Both have great Postfix / Dovecot integration. roundcube if you want a fancy eye candy webmail
Re: suitable webmail
Luis Daniel Lucio Quiroz wrote: Le Lundi 1 Février 2010 10:04:20, Carlos Williams a écrit : On Mon, Feb 1, 2010 at 10:52 AM, K bharathan kbhara...@gmail.com wrote: hi all of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server i'd also have it configured for user soft quota guidance appreciated Postfix is not the POP/IMAP server. Postfix is the MTA generally for SMTP. IMAP and POP are handled by popular daemons such as Dovecot and Courier. 95% of the responses will be Squirrelmail. http://squirrelmail.org/ I recommend and prefer Roundcube. http://roundcube.net/ Both have great Postfix / Dovecot integration. roundcube if you want a fancy eye candy webmail I think the OP asked about a solution with pop server and not with imap. I don't know for sure if squirrelmail uses imap only, but I know roundcube does... I am personally a roundcube guy, but the only pop freeware pop webmail I know is Openwebmail. http://openwebmail.org/
Re: suitable webmail
it seems that roundcube is popular. It seems to be most popular among bots as well, according to what my apache logs say. I don't have roundcube but there are frequent attempts to get to php scripts down in the roundcube directories. I'd probably see orders of magnitude more if it weren't for fail2ban. I wonder what it is that makes it so popular? -- jd ==
Re: suitable webmail
On 01/02/10 17:09, j debert wrote: it seems that roundcube is popular. It seems to be most popular among bots as well, according to what my apache logs say. I don't have roundcube but there are frequent attempts to get to php scripts down in the roundcube directories. I'd probably see orders of magnitude more if it weren't for fail2ban. I wonder what it is that makes it so popular? In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. That said, it's not the only webmail client (or any other web app) that gets the installneglect treatment, it's just the one most frequently exploited. So if you want to run it, be diligent about keeping it up to date, and use something like fail2ban. K
[OT] Re: suitable webmail
Quoting Kay li...@coffeehabit.net: On 01/02/10 17:09, j debert wrote: it seems that roundcube is popular. It seems to be most popular among bots as well, according to what my apache logs say. I don't have roundcube but there are frequent attempts to get to php scripts down in the roundcube directories. I'd probably see orders of magnitude more if it weren't for fail2ban. I wonder what it is that makes it so popular? In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. That said, it's not the only webmail client (or any other web app) that gets the installneglect treatment, it's just the one most frequently exploited. Squirrelmail works nicely, as does Horde, which seems to be quite a bit more complete (integrated calendar, sharing,etc.), however I wouldn't put any web app out on the net without using SSL, HTTP Auth and faiil2ban in front of it. Hacks are much more difficult if the attacker can't get to the application directory without a valid login. The http auth box is ugly and somewhat annoying, however there's a lot to be set for a very stable, low-level, simple authentication mechanism. Terry
Re: suitable webmail
j debert a écrit : it seems that roundcube is popular. It seems to be most popular among bots as well, according to what my apache logs say. I don't have roundcube but there are frequent attempts to get to php scripts down in the roundcube directories. I'd probably see orders of magnitude more if it weren't for fail2ban. I wonder what it is that makes it so popular? you mean things like GET /roundcube-0.2//bin/msgimport GET /round//bin/msgimport .. they're looking for old versions.. See http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/ http://stateofsecurity.com/?p=550 Funnily enough, they don't try SSL. (note that enforcing SSL for any web mail application is a good practice)
Re: suitable webmail
On Mon, 01 Feb 2010 20:39:49 +0100, mouss mo...@ml.netoyen.net wrote: j debert a écrit : it seems that roundcube is popular. It seems to be most popular among bots as well, according to what my apache logs say. I don't have roundcube but there are frequent attempts to get to php scripts down in the roundcube directories. I'd probably see orders of magnitude more if it weren't for fail2ban. I wonder what it is that makes it so popular? you mean things like GET /roundcube-0.2//bin/msgimport GET /round//bin/msgimport .. they're looking for old versions.. See http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/ http://stateofsecurity.com/?p=550 Funnily enough, they don't try SSL. (note that enforcing SSL for any web mail application is a good practice) the current version of roundcube (0.3.1) does not work with the current mod_security I failed to get along with the rules of mod_security. I simply removed. I just read the security alert and I just delete msgimport.sh
Re: [OT] suitable webmail
On 02/01/2010 06:49 PM, Kay wrote: On 01/02/10 17:09, j debert wrote: it seems that roundcube is popular. It seems to be most popular among bots as well, according to what my apache logs say. I don't have roundcube but there are frequent attempts to get to php scripts down in the roundcube directories. I'd probably see orders of magnitude more if it weren't for fail2ban. I wonder what it is that makes it so popular? Well I admit Im one of those guy using it, ( of course I m not an hosting company) though the reason for which I do use it is because it has decent features ( well for a webmail app is not an organizer thats sure ) , and a very pleasant interface . I used squirrelmail before it it worked very well though my user did complain about its ugly interface. I also considered Horde but to be honest its seems to me an overkill as a webmail client while roundcube is an easy and fast setup ( even to mantain ). So I gues those 2 points make it popular, altho I see your point In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. That said, it's not the only webmail client (or any other web app) that gets the installneglect treatment, it's just the one most frequently exploited. So if you want to run it, be diligent about keeping it up to date, and use something like fail2ban. K Well I agree with you there I was a bit worried bout its security, I have also to admit I have 0.3.0 stable since almost 6 month and just recently I' have seen come up 0.3.1 ( wich I happen to have updated recently ) release while I m seeing lot of security alert bout it. So the point is I would love to keep using squirrelmail but it really looks old ( don't shot me I like it ) to my users.
Re: suitable webmail
Carlos Williams put forth on 2/1/2010 10:04 AM: I recommend and prefer Roundcube. http://roundcube.net/ +1 If you're going to offer webmail, you may as well offer IMAP folders instead of POP. JMHO. I'm an ex Squirrelmail user and switched to Roundcube, mainly for the nicer user interface. My Roundcube connects to Dovecot IMAP on the local machine. IIRC, when I logged in the first time it grabbed all the IMAP folders automatically. Back when I originally setup Squirrelmail years ago, I had to subscribe all the folders manually. I'm not sure if this is true of the most recent Squirrelmail though. Other than Roundcube, for a really nice modern AJAX interface, take a look at SOGo. The thing that really impresses me is the right click context menus like those available in Thunderbird or other GUI mail clients. I ended up going with Roundcube as I thought SOGo was a bit heavy for my needs. Give the demo a go and see what you think: http://www.scalableogo.org/english/tour/online_demo.html -- Stan
[OT] suitable webmail
Kay put forth on 2/1/2010 11:49 AM: In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. I think you're making some incorrect assumptions. Squirrelmail has had a pretty abysmal security track record of its own over the years. One reason for that is probably exactly what you're calling out Roundcube for here, which has nothing to do with the software, but the administration of the system. That said, you appear to think the world runs on Red Hat, and if Red Hat doesn't have a Roundcube package, admins will install from source or an external RPM that doesn't get updated by Red Hat's uptodate or whatever it's called. The world doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other) packages up to date. For instance, I do security updates on my Debian servers once a week. My Roundcube package is currently up to date, and it is a standard Debian package: [02:21:52][r...@greer]/$ aptitude show roundcube Package: roundcube New: yes State: installed Automatically installed: no Version: 0.2.2-1~bpo50+1 Priority: extra Section: web Maintainer: Debian Roundcube Maintainers pkg-roundcube-maintain...@lists.alioth.debian.org Uncompressed Size: 94.2k Depends: roundcube-core (= 0.2.2-1~bpo50+1) Description: skinnable AJAX based webmail solution for IMAP servers - metapackage That said, it's not the only webmail client (or any other web app) that gets the installneglect treatment, it's just the one most frequently exploited. Do you have any empirical data showing that Roundcube is exploited more often today than Squirrelmail? Claims like this really need to be backed up. Data for only your data center doesn't count, the sample size is way too small. This is called anecdotal evidence, not empirical evidence. -- Stan
Re: suitable webmail
K bharathan wrote: hi all of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server i'd also have it configured for user soft quota guidance appreciated I would add from my side... Horde IMP. If you need good replacement for Microsoft Outlook, Horde will definitely meet all your requirements... and default interface is compatible with mobiles so you can have very light version of webmail. Configuration is a bit pain but configured once stays online forever ;-). thanks Regards, Jarek
Re: [OT] suitable webmail
On 2010-02-01 4:05 PM, Stan Hoeppner wrote: My Roundcube package is currently up to date, and it is a standard Debian package: [02:21:52][r...@greer]/$ aptitude show roundcube Package: roundcube New: yes State: installed Automatically installed: no Version: 0.2.2-1~bpo50+1 Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'? -- Best regards, Charles
Re: [OT] suitable webmail
On Mon, 01 Feb 2010 17:17:49 -0500, Charles Marcus cmar...@media-brokers.com wrote: On 2010-02-01 4:05 PM, Stan Hoeppner wrote: My Roundcube package is currently up to date, and it is a standard Debian package: [02:21:52][r...@greer]/$ aptitude show roundcube Package: roundcube New: yes State: installed Automatically installed: no Version: 0.2.2-1~bpo50+1 Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'? attention 0.3.1 is the current version , so 0.2.2 is 'up to date'
Re: [OT] suitable webmail
* fakessh fake...@fakessh.eu: Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'? attention 0.3.1 is the current version , so 0.2.2 is 'up to date' That's probably some sort of twisted Debian humor .)
Re: suitable webmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mouss さんは書きました: you mean things like GET /roundcube-0.2//bin/msgimport GET /round//bin/msgimport Not lately. Most recently, they're looking for version info: GET /rc/README GET /webmail/README GET /roundcube/README GET /rcube/README . . . GET /roundcubemail/README GET /roundcube/CHANGELOG etc. and not so recently: GET /webmail/program/js/list.js GET /roundcube/program/js/list.js etc. Some of the same IPs also probe port 25, connecting then disconnecting w/o talking to the server. I don't think they like Postfix. == jd -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFLZ1bChpL3F+HeDrIRAkCAAJ9HG9o4eI04VGV7lZF8Wp1kuN/MiACgg0qB +W64ICtOaIlcIovhHAre/ds= =hkCP -END PGP SIGNATURE-
Re: suitable webmail
On 1-Feb-2010, at 13:39, Stan Hoeppner wrote: Carlos Williams put forth on 2/1/2010 10:04 AM: I recommend and prefer Roundcube. http://roundcube.net/ +1 If you're going to offer webmail, you may as well offer IMAP folders instead of POP. JMHO. Yeah, I have to say I don't even understand how webmail+POP3 makes any sense at all. I'm an ex Squirrelmail user and switched to Roundcube, mainly for the nicer user interface. I ran a tesbed of Roundcube for my users and while the interface is *much* nucer than SquirrelMail, it has proven to be extremely flakey at a massive memory hog. Maybe things have improved with the 0.3.x version, but I finally had to dump it because it kept causing PHP and Apache to throttle. Other than Roundcube, for a really nice modern AJAX interface, take a look at SOGo. The thing that really impresses me is the right click context menus like those available in Thunderbird or other GUI mail clients. Thanks for that, I'll take a look at it. -- And now, the rest of the story
Re: [OT] suitable webmail
Charles Marcus put forth on 2/1/2010 4:17 PM: On 2010-02-01 4:05 PM, Stan Hoeppner wrote: My Roundcube package is currently up to date, and it is a standard Debian package: [02:21:52][r...@greer]/$ aptitude show roundcube Package: roundcube New: yes State: installed Automatically installed: no Version: 0.2.2-1~bpo50+1 Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'? The current discussion relates to keeping security patches current. http://www.debian.org/security/ All security flaw related new code is back ported and stable versions patched. You seem to be of the mistaken impression that one must have the latest 'release version' of a software package to have the latest security patches. This is not true of any *nix distro or Windows for that matter. Heck, M$ is still sending out security patches via automatic updates to Windows 2000 machines (until June 10 apparently). If there is a security flaw identified in the version of Roundcube I'm running (or any package), at some point a patched version will be made available in the security repository. Automated or manual upgrades via apt or aptitude will pull down the patched package and install it. -- Stan
Re: [OT] suitable webmail
Ralf Hildebrandt put forth on 2/1/2010 4:31 PM: That's probably some sort of twisted Debian humor .) I wish it was humor... Debian Stable always lags pretty seriously behind the cutting edge release versions of a lot of packages. Then again, from what I understand, so do RHEL, CentOS, SLES, and some others. This seems indicative of Stable or Enterprise releases. The stability vs features argument, I assume. When testing is pushed to stable (not sure of the target date), I'll end up with Roundcube 3.1 after upgrading. All of that said, I don't find I'm lacking any functionality with my current version of Roundcube. -- Stan
RE: suitable webmail
http://roundcube.net/ +1 If you're going to offer webmail, you may as well offer IMAP folders instead of POP. JMHO. I think it depends upon the requirements. For very simple mail and setup, +1 roundcube. I have been using horde for some time for my clients (as they use more of the calendaring stuff than anything) so if you need something a little more advanced, use +1 horde. Of course, you could offer both (which we do). For some clients, horde is too much, for others roundcube isn't enough.
