postfixadmin

Postfixadmin updated to 2.3.5

The Postfix Admin team have just released PostfixAdmin 2.3.5 which is a security update that fixes some
SQL injections (CVE-2012-0811) and XSS vulnerabilities (CVE-2012-0812). So this is an important update and you are all advised to upgrade as soon as possible. Be warned that backups created with backup.php from 2.3.4 and earlier can contain SQL injections that will be executed when you restore the backup. In other words: Double-check old backups before restoring them!

For reference, here’s the full changelog for 2.3.5:

  • fix SQL injection in pacrypt() (if $CONF[encrypt] == ‘mysql_encrypt’)
  • fix SQL injection in backup.php – the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump.
  • fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
  • fix XSS in some create-domain input fields
  • fix XSS in create-alias and edit-alias error message
  • fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual
  • create-domain: fix SQL injection (only exploitable by superadmins)
  • add missing $LANG['pAdminDelete_admin_error']
  • don’t mark mailbox targets with recipient delimiter as “forward only”
  • wrap hex2bin with function_exists() – PHP 5.3.8 has it as native function

The mail server on Lion

Whilst upgrading my production server, the one you’re getting these pages served by, to Lion and reinstalling all the programs on it I’ve also found time to write everything down for you to use when you upgrade to Lion. We already had the MAMP stuff teated and documented but now all the mail server components have been tested and written.

http://diymacserver.com/mail/lion/

So enjoy your new installation of Lion with these instructions.

In the coming week I will move all my stuff to the new Mini, hopefully without too much interruptions in our service.

Postfixadmin upgraded to version 2.2.1.1

Development of Postfixadmin, the webbased tool to allow you to maintain your postfix mailserver installation, is moving forward a lot faster than the last years.

New is the all in one interface where the super user and the domain admin will work. In the 2.1.0 there was a subdirectory called admin which needed to be secured extra. It is now an all in one interface.

The new version still has the same problem as the old one in sending the SMTP commands to fast which will result in the error:

BD5DAF029E: reject: DATA from localhost[127.0.0.1]: 503 5.5.0 : Data command rejected: Improper use of SMTP command pipelining; from= to= proto=ESMTP helo=

This will easily be solved by again editing the ‘functions.inc.php‘. Open the file and find the function ‘smtp_mail‘. Change the following code:

fputs ($fh, “EHLO $smtp_server\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

into

fputs ($fh, “EHLO $smtp_server\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

Full instructions on how to upgrade your current 2.1.0 installation to 2.2.x can be found here: Upgrading Postfix Admin 2.1.0 to 2.2.x

Postfixadmin upgraded to 2.2.0

After more then 3 years there is a new release of Postfixadmin, the webbased tool to allow you to maintain your postfix mailserver installation. It assist in the creation of mail adresses and aliases.

New is the all in one interface where the super user and the domain admin will work. In the 2.1.0 there was a subdirectory called admin which needed to be secured extra. It is now an all in one interface.

The new version still has the same problem as the old one in sending the SMTP commands to fast which will result in the error:

BD5DAF029E: reject: DATA from localhost[127.0.0.1]: 503 5.5.0 : Data command rejected: Improper use of SMTP command pipelining; from= to= proto=ESMTP helo=

This will easily be solved by again editing the ‘functions.inc.php‘. Open the file and find the function ‘smtp_mail‘. Change the following code:

fputs ($fh, “EHLO $smtp_server\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

into

fputs ($fh, “EHLO $smtp_server\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

Full instructions on how to upgrade your current 2.1.0 installation to 2.2.0 can be found here: Upgrading Postfix Admin 2.1.0 to 2.2.0