Security alert for zarafa-server-7.2.4-100 (beginning 2016-12-10)

Thanks to a very dedicated user (Mike) a serious security issue has been found in the default configuration. This bug allows user to access data of any known email account on your system.

Details
zarafa-gateway.service and ical.service are executed as zarafa user. This causes zarafa-server to answer any request as if it came from the administrator. In this case credentials are not checked and every access is granted.

Who is affected?
– Anybody who installed ‘>= zarafa-server-7.2.4-100’ (beginning 2016-12-10) and used the installation script, which installed the default configuration

– Anybody who uses ‘>= zarafa-server-7.2.4-1’ (beginning 2016-08-19), used the default configuration, exposed ical / gateway service (127.0.0.1 => 0.0.0.0) and left the run_as_user unchanged (run_as_user=zarafa)

How to fix?
1) Update zarafa-server to ‘zarafa-server-7.2.4.29-155’. The fix is done during installation.
OR
2) Fix it manually…

$ vi /etc/zarafa/ical.cfg
 run_as_user = nobody
 run_as_group = nobody

$ vi /etc/zarafa/gateway.cfg
 run_as_user = nobody
 run_as_group = nobody

$ vi /usr/lib/tmpfiles.d/zarafa-tmpfiles.conf
 d /run/zarafad 0777 zarafa zarafa
 d /var/run/zarafad 0777 zarafa zarafa

$ rm /var/run/zarafad/ical.pid
$ rm /var/run/zarafad/gateway.pid

$ systemd-tmpfiles –create
$ systemd-tmpfiles –clean

$ systemctl restart zarafa-gateway
$ systemctl restart zarafa-ical

MartiMcFly

9 thoughts on “Security alert for zarafa-server-7.2.4-100 (beginning 2016-12-10)

  1. Marti,

    Thanks again for fixing this so quickly. 🙂 I have a question. I’m having zero luck connecting via TLS. SSL works via 465, but TLS just doesn’t seem to work. Unfortunately, TSL is the goto for most command line clients used on linux servers and there is little to no SSL support or config info available. In order to get notifications working from servers with exim or ssmtp utility installed, I need to figure out what’s going on. Is port 587 enabled by default in our configuration? And, it appears that TLS is enabled in main.cf, is there something i’m missing?

    Thanks!
    Mike Smith

    Reply

    1. admin

      Hey Mike,

      your welcome!

      I’m suprised to hear about tls not working on port 465. It’s configured to be fully encrypted (with TLS enabled). You can’t start unencrypted and change to encrypted mode (STARTTLS). Is this what you want to achieve?

      Submission service has been used many years by mail clients. Today it’s meaning has reduced to delivering mail from any mailclient to the smarthost. For the above reason submission isn’t enabled on this end.

      MartiMcFly

      Reply

    2. admin

      But I think you’re right. I should change to forced starttls.

      This might be it…
      smtp_tls_note_starttls_offer = yes
      smtpd_tls_security_level = encrypt
      smtpd_enforce_tls = yes
      smtpd_tls_auth_only = yes

      Reply

  2. I was able to figure out how to enable this. I edited master.cf and uncommented/added the following:

    submission inet n – n – – smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

    After this i’m able to connect via TLS on port 587. Does this look OK to you?

    Thanks,
    Mike Smith

    Reply

  3. Thanks for the info, I’ll play around with that and see what happens. It seems that STARTTLS is needed for most implementations. The submission service is port 587 and it’s configured as strictly a TLS port by default from what I’ve read so far, and what I’m seeing. Once uncommenting the lines above from master.cf, the only noticeable difference was 587 opening with TLS only (SSL doesn’t even work on the submission/587 port. I’ll dig in some more and see what I can find and try out some of your suggestions. It would definitely be a better solution to have SSL and TLS both functioning on 465, as that’s one less port to worry about having open. I’m pretty sure the STARTTLS stuff is where the issue is on 465. I’ll let you know what I find..

    Thanks!
    Mike Smith

    Reply

    1. admin

      Hey Mike,

      I’ve found a good article about SSL/TLS/STARTTLS. It gives good reasons why one should stay with the fully encrpyted method.

      https://www.fastmail.com/help/technical/ssltlsstarttls.html

      Mechanisms were added to each protocol to tell clients that the plaintext protocol supported upgrading to SSL/TLS (i.e. STARTTLS), and that they should not attempt to log in without doing the STARTTLS upgrade. This created two unfortunate situations:

      1. Some software just ignored the “login disabled until upgraded”announcement and just tried to log in anyway, sending the username and password over plaintext. Even if the server then rejected the login, the details had already been sent over the Internet in plaintext.
      2. Other software saw the “login disabled until upgraded” announcement, but then wouldn’t upgrade the connection automatically, and thus reported login errors back to the user, which caused confusion about what was wrong.

      Marti

      Reply

  4. Hey Marti,

    I just wanted to check in and let you know my Arch-Zarafa server has been running absolutely perfectly… All of my iDevices sync via Activesync, perfectly, and Thunderbird/Outlook have also worked flawlessly. Zarafa-WebApp has worked great for web based email and I have had any issues come up at all.

    I’m looking forward to your new additions/modifications WRT adding and configuring server-wide smarthosts within Zarafa-PostfixAdmin; as well as the other changes you’ve hinted at.

    I hope the new year is treating you well and I just wanted to let you know how much I appreciate all you have done here. I’ve been in IT, as a Network Administrator, Security Engineer, and owner of a hosting company for nearly 20 years, and I’ve never been so happy with any of my mail platforms. Arch-Zarafa offers everything Exchange does, and then some, without all of the complex requirements and resources; and it wouldn’t be nearly as easy if it weren’t for the Pietma repo!

    Take care!
    Mike Smith

    Reply

    1. admin

      Hey Mike!

      I’m glad to hear that things work good for you 🙂 Hopefully your start into 2017 has been going good, too?

      After you’ve followed the update process on Install, Run and access Zarafa-Postfix-Admin you can be able to manage your smarthost in the setting of your specific domain.

      Things keep me realy busy the last time…

      – New VM buildservers for x86 / x64 / Crosscompilation
      – Update to Zarafa 7.2.5 / Kopano Webapp
      – Migration to Kopano
      – New features in ZPA like smarthost/better updateprocess
      – New posts on pietma.com
      – Search for a better question/answer forum (migration of old comments)
      – Better layout for pietma.com

      I could use help on all of this things 🙂

      Marti

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *