1

Topic: Must we download binaries via http to update iRedMail?

Hi,

I was updating iRedMail to the new version, but I noticed the upgrade tutorial tells me to download iRedAPD from http://www.iredmail.org/yum/misc/ which uses no https, and provides no checksum to validate that my download is what I expect.

Is that not a security concern?

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Must we download binaries via http to update iRedMail?

iRedMail will check MD5 during installation, but if you download files separately, you have to verify it manually.

You can also download the latest version on bitbucket.org:
Http://bitbucket.org/zhb/iredapd/downloads

3

Re: Must we download binaries via http to update iRedMail?

Thanks for the bitbucket link! (it has a formatting error btw)

What about iRedAdmin-0.4.tar.bz2 ?
I don't see it on bitbucket.
Will it also automatically check MD5?

Thank you

4

Re: Must we download binaries via http to update iRedMail?

Same as iRedAPD, you have to verify it manually.

I will upload iRedAdmin on bitbucket.org later. (sick today, please give me some time)

5

Re: Must we download binaries via http to update iRedMail?

ZhangHuangbin wrote:

Same as iRedAPD, you have to verify it manually.

I will upload iRedAdmin on bitbucket.org later. (sick today, please give me some time)

How is manual verification done?

Get well soon!

6

Re: Must we download binaries via http to update iRedMail?

gaudec wrote:

How is manual verification done?

Download the package from http://www.iredmail.org/yum/misc/, then find the MD5 code in file shipped in iRedMail: pkgs/MD5.misc (or pkgs/MD5.openbsd, SHASUM.freebsd).
Or, download them separately from bitbucket.org project page.

7

Re: Must we download binaries via http to update iRedMail?

Thank you for the bitbucket binary! I'll use that.

Isn't it that downloading the MD5 via http allows someone to do a MITM and send us an altered binary with a valid MD5 for it?

8

Re: Must we download binaries via http to update iRedMail?

Man in the middle?
If you download from bitbucket.org and the file is modified by someone, then bitbucket.org is hacked.

9

Re: Must we download binaries via http to update iRedMail?

Sorry, I meant when downloading from http://www.iredmail.org/yum/misc/ not from bitbucket.org, which does use https.

10 (edited by phillipsjk 2015-01-13 17:11:38)

Re: Must we download binaries via http to update iRedMail?

As I assume we all know, it is trivial to manipulate unauthenticated packets in transit as is demonstrated by the Upsidedownternet page.

However, a careful review of the method used reveals that, simply checking the download with the MD5 function is not sufficient to guard against deliberate tampering. The reason is that MD5 is no longer considered cryptographically secure. There is even software available to generate MD5 collisions.

SHA-1 is better, but considered depricated.

Edit: Slight correction: it is apparently easier to generate two matching files, than to generate a second file maching one that can not change. In other words, in the case of a malicious MD5 collision, we are likely taking about a server compromise anyway.

11 (edited by gaudec 2016-07-22 03:33:37)

Re: Must we download binaries via http to update iRedMail?

Hi, I was going to update again my server, but realized the most recent binaries are missing from https://bitbucket.org/zhb/iredapd/downloads

They are only found at http://www.iredmail.org/yum/misc/ but still without https.

The update instructions recommend to use the insecure http url. Isn't iRedMail an important infrastructure component, and as such it should be securely distributed? Projects of this type normally include detailed instructions about verifying packages before installing them. Why is this not considered important in iRedMail? Or maybe I'm getting it wrong?

Cheers

12

Re: Must we download binaries via http to update iRedMail?

*) Updating iRedMail doesn't require the latest iRedMail installer. Please follow our tutorial here: http://www.iredmail.org/docs/iredmail.releases.html

*) Downloading packages doesn't send/receive any sensitive info (e.g. no username/password submitted), so http:// is ok in this case. We will switch to https soon.

13

Re: Must we download binaries via http to update iRedMail?

Thanks for your reply!

ZhangHuangbin wrote:

*) Updating iRedMail doesn't require the latest iRedMail installer. Please follow our tutorial here: http://www.iredmail.org/docs/iredmail.releases.html

I follow that link. Then I click on "Upgrade from iRedMail-0.9.4" > "Upgrade iRedAPD (Postfix policy server) to the latest stable release (1.9.0)" > "Upgrade iRedAPD to the latest stable release" and it instructs me to download via HTTP the latest iRedAPD file. It seems to me like it's asking me to download code to run on my server via HTTP.

ZhangHuangbin wrote:

*) Downloading packages doesn't send/receive any sensitive info (e.g. no username/password submitted), so http:// is ok in this case. We will switch to https soon.

I would say that programs that are going to run on my server are sensitive stuff. It would be fine to download them via HTTP, IF there was a way to download a secure hash via HTTPS to then verify that the downloaded program was what you shared with us and not something else. If the hash comes via HTTP, then I can still get a bad program that matches the bad hash. If you send me a program on a postcard, someone on the way could change a few characters on that postcard, and I would never know it happened. Isn't it like that?

14

Re: Must we download binaries via http to update iRedMail?

As mentioned in my previous reply, we will make it work under https only soon. smile

15 (edited by gaudec 2016-07-23 23:44:42)

Re: Must we download binaries via http to update iRedMail?

Until that happens, I realized that one way to download iredapd via https is this: https://bitbucket.org/zhb/iredapd/downl … -downloads
Unfortunately 1.9.1 is not tagged, but it seems to be this commit: https://bitbucket.org/zhb/iredapd/commi … at=default

16

Re: Must we download binaries via http to update iRedMail?

Hi! Is there any progress on switching to https?

I'm trying to download everything from BitBucket to avoid http, but iredadmin-ose is only tagged until 0.6.3. I tried to use the tip version, but then I got this:

$ bash upgrade_iredadmin.sh 

* Detected Linux/BSD distribution: UBUNTU
* HTTP server root: /usr/share/apache2
* Found iRedAdmin directory: /usr/share/apache2/iredadmin, symbol link of iRedAdmin-0.6.1
* Found iRedAdmin config file: /usr/share/apache2/iredadmin/settings.py
<<< ERROR >>> Cannot find new version of iRedAdmin in current directory. Exit

even if the ChangeLog file lists 0.8, 0.7 and 0.6.3, 0.6.2 and 0.6.1.

17

Re: Must we download binaries via http to update iRedMail?

For now, use the http:// please. Sorry.

18

Re: Must we download binaries via http to update iRedMail?

I found out my issue. I got iredadmin-ose 0.7.0 using mercurial from bitbucket, but I forgot to rename it to iRedAdmin-0.7.0. The update script checks the folder name to know which version it is. That's why I got the "Cannot find new version of iRedAdmin in current directory" error.

About the https issue, personally I would suggest moving to a mercurial based workflow. Instead of suggesting to download tar.gz files, then uploading them to the server, unpacking them, and running scripts, it would be much easier to do "hg clone" directly on our servers. When there's a new version, we could do "hg update versionX" on the server, and run the updated code. Maybe you would save time packaging files, and it might make updating a bit simpler and more secure.

Cheers smile

19

Re: Must we download binaries via http to update iRedMail?

gaudec wrote:

When there's a new version, we could do "hg update versionX" on the server, and run the updated code. Maybe you would save time packaging files, and it might make updating a bit simpler and more secure.

Not all users are familiar with hg/git. and for iRedMail and iRedAdmin (and -Pro), we have upgrade script to do some extra configurations, like update SQL structure, you should pay attention to this.