Our InterWorx boxes have “Strong” passwords configured as a requirement. However, many of our users continued to make obviously weak passwords (pin numbers, dictionary words, etc). And of course many of those mailboxes get hacked.
Tonight I noticed that RoundCube, and I suspect the other webmail clients provided by InterWorx, will permit any strength passwords. For example, I just set my own password to “1” and then proved it took by changing my password back but only after providing “1” as my current password. Almost none of our customers actually use the control panel to set their own email password, so we’ve been really operating under a false sense of password security all this time. :-/
[QUOTE=jimp;22028]Our InterWorx boxes have “Strong” passwords configured as a requirement. However, many of our users continued to make obviously weak passwords (pin numbers, dictionary words, etc). And of course many of those mailboxes get hacked.
Tonight I noticed that RoundCube, and I suspect the other webmail clients provided by InterWorx, will permit any strength passwords. For example, I just set my own password to “1” and then proved it took by changing my password back but only after providing “1” as my current password. Almost none of our customers actually use the control panel to set their own email password, so we’ve been really operating under a false sense of password security all this time. :-/[/QUOTE]
Hey jimp, I wasn’t aware of this behavior. I’ll see what we can do about it.
The issue raised by jimp was not as a result of hacking by them.
It is a big weakness within the webmail/email services, and all 3 webmail services allow the same reset, apart from 1 which requires a minimum of 3 alphanumeric characters.
I would hope this is addressed as a priority as in my experience, most users will always set an easy password, and therefore has a greater chance of been hacked by the bad people, and your systems then been used for sending spam, ddos of other mail services etc. and then there’s the real headache of having to clean your ip when you’ve been blacklisted.
I hope this makes more sense and also explain why it is so important to be corrected to maintain strong passwords.
We setup our own install of roundcube. That way, we don’t have password reset capabilities in the webmail, and we could also add an addon to enforce verification of email addresses for personas.
In a default Roundcube install, anyone can add any email address to send as, without having to verify that you have access to the address.
It also let’s us continually update the client. And provide a login form directly on our site.
That sounds a lovely feature to have and I’d be interested to know how we set that up on our systems so we can introduce it, to secure our systems. If you don’t mind, you could PM me or sorry if I am asking too much, and please ignore.
If IW were to adopt it, it would make a great feature in your new theme.
We just setup a roundcube install with addons from myroundcube.
For the external login, we had to adapt the autologon addons in myroundcube. I will try and package the changes and send them your way. You will need to program some security precausions to avoid xss, and man-in-middle attacks (don’t want to release that part of the code, for our internal security). But the code works.
A way to implement xss security, is to have a common mysql database with a table, that handles temporary token hashes with a timestamp. We discussed a solution like this when we did the implementation earlier. But decided on another solution. Perhaps it’s something that we can improve together.
Roundcube is setup to use the domainname of the user to connect with the right mailserver. And I have been in the conf file to change the destination of the ‘/webmail’ proxy. Letting all the customers access the webmail via ‘<domain>/webmail’
I think there’s always going to be issues with any implementation re security or vulnerabilities, and if I can help, please let me know, but as you know, it would always be a fluid battle for xss, mim and I totally understand over not releasing this code.
I will try this on our cluster test when it’s ready and we have finished our initial tests.
Here are the files you asked for.
The autologon folder should be placed in your roundcube installs ‘plugin’ folder (there should already be a autologon folder there).
The version of autologon supplied in the packaged is customized, and should replace any pre existing files.
The HTML file contains the form.
Please update any ‘yourdomain.com’ with the address to your webmail.
The form and autologon script is configured to connect over SSL.
Here are the main.inc.php config:
//$rcmail_config['default_host'] = 'ssl://%s';
$rcmail_config['default_host'] = '%s';
// TCP port used for IMAP connections
//$rcmail_config['default_port'] = 993;
$rcmail_config['default_port'] = 143;
Many thanks and sorry for late reply, it’s been a long day.
I’ll download this tommorow and test on our test cluster.
I hope you don’t mind, but to anyone who also downloads this, please note Evanion warning over xss and mim warning. Use at your own risk and there is no support or acceptance of any liability whatsoever. If you don’t understand the risk, please do not implement this on your systems.