Topic: URGENT: security fix required for Nginx configured by iRedMail
Dear all,
We discovered 2 security issues with Nginx settings configured by iRedMail, please follow our tutorial below to fix them.
About the issue
Default Nginx settings configured by iRedMail doesn’t block access to per-user GPG keys generated with Roundcube (plugin `enigma` must be enabled, and it's enabled by default with default iRedMail settings) and all dot files.
For more details, please check link below:
http://legacysecuritygroup.com/cve/refe … enigma.txt
All credit goes to bitbucket user @exploitagency, thanks for the report in our issue tracker:
https://bitbucket.org/zhb/iredmail/issu … th-default
Affected Linux/BSD distributions
It affects ALL Linux/BSD distributions supported by iRedMail with Nginx running.
Affected iRedMail releases
- It affects iRedMail-0.9.0 and later releases.
- It affects iRedMail load-balance cluster.
How to fix it
Please open file /etc/nginx/templates/roundcube.tmpl (Linux/OpenBSD) or /usr/local/etc/nginx/templates/roundcube.tmpl (FreeBSD), add lines below ABOVE any existing lines:
# Block access to default directories and files under these directories
location ~ /mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
# Block access to default files under top-directory and files start with same name.
location ~ /mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
# Block plugin config files and sample config files.
location ~ /mail/plugins/.*/config.inc.php.* { deny all; }
# Block access to plugin data
location ~ /mail/plugins/enigma/home($|/.*) { deny all; }Please open file /etc/nginx/templates/roundcube-subdomain.tmpl (Linux/OpenBSD) or /usr/local/etc/nginx/templates/roundcube-subdomain.tmpl (FreeBSD), add lines below ABOVE any existing lines:
# Block access to default directories and files under these directories
location ~ /(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
# Block access to default files under top-directory and files start with same name.
location ~ /(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
# Block plugin config files and sample config files.
location ~ /plugins/.*/config.inc.php.* { deny all; }
# Block access to plugin data
location ~ /plugins/enigma/home($|/.*) { deny all; }Open file /etc/nginx/sites-available/00-default.conf AND 00-default-ssl.conf, make sure template file `misc.tmpl` is loaded before other template files. For example, existing config file may look like this:
server {
...
include ...;
include ...;
include /etc/nginx/templates/misc.tmpl;
}Please move the 'misc.tmpl' line above any other `include` directive. Final setting should look like this:
```
server {
...
include /etc/nginx/templates/misc.tmpl;
include ...;
include ...;
}Note: Nginx in iRedMail-0.9.7 loads modular config files from /etc/nginx/sites-conf/default/ and /etc/nginx/sites-conf/default-ssl/ instead of store all directives for default web hosts in one file, in this case you need to:
*) rename file /etc/nginx/sites-conf/default/99-include-tmpl-misc.conf to /etc/nginx/sites-conf/default/1-include-tmpl-misc.conf
*) rename file /etc/nginx/sites-conf/default-ssl/99-include-tmpl-misc.conf to /etc/nginx/sites-conf/default-ssl/1-include-tmpl-misc.conf
Restarting Nginx service is required.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.