1

Topic: Security Issue with server having iRedMail

Hi team,

we have iRedmail .5 on centos 5.4 in test environment ( no other activity other than doing some tests for routing mails back and forth to test customer's scenarios), somehow 3 -4 months back our domain which was used for 'a record' for mail routing, got blocked from the domain registrar on the account domain pointing to phishing page of HSBC. here is the message from domain registrar

XXX Domain Registrar Suspended on Sep 25, 2010 (Reason: Phishing attack on HSBC - http://subdomain1.domain.com/.hsbc/onli … /CAM10.php )

we realized this today as we were about to renew this domain (never used this domain except testing)

Sorry for asking such kind of silly questions as I have little knowledge on linux ( most of my tech experience is on windows platform) how to identify & remove these php files & further how can avoid such scenarios.


Regards,

PineMail11

2

Re: Security Issue with server having iRedMail

PineMail11 wrote:

we have iRedmail .5 on centos 5.4 in test environment ( no other activity other than doing some tests for routing mails back and forth to test customer's scenarios), somehow 3 -4 months back our domain which was used for 'a record' for mail routing, got blocked from the domain registrar on the account domain pointing to phishing page of HSBC. here is the message from domain registrar

XXX Domain Registrar Suspended on Sep 25, 2010 (Reason: Phishing attack on HSBC - http://subdomain1.domain.com/.hsbc/onli … /CAM10.php )

Your fake link doesn't work, so we can't understand what exactly happened. It's better to show the detail here (HIDE/REPLACE sensitive information before post).

Some common suggestions:

  • iRedMail-0.5.0 is too old, you should upgrade it as soon as possible when new version was available for upgrading. Upgrade tutorials are available here: http://www.iredmail.org/doc.html

  • Roundcube webmail in earlier versions of iRedMail has security issue. Reference.

  • Set a complex password for your mail accounts, so that they won't be easily cracked, and you server won't be used to attack HSBC or whatever hosts. You can install Fail2ban manually to harden your iRedMail server: http://www.iredmail.org/wiki/index.php? … h.Fail2ban

  • Subscribe RSS feed of forum "News and Announcements", so that you won't miss something important. Or maybe i should use a mail list to let you know the latest news, announcements and bug/security fixes? Hmm, sounds good idea, let me know your thoughts.

PineMail11 wrote:

Sorry for asking such kind of silly questions as I have little knowledge on linux ( most of my tech experience is on windows platform) how to identify & remove these php files & further how can avoid such scenarios.

You can now check some items on iRedMail server:

- Check postfix queue with command "postqueue -p". If you find many *strange* emails in the queue, your server might be cracked as a "open relay". It might be caused by weak password, security holes in web applications, etc.

As i mentioned, we don't know the detail about this attack, so i have no idea about what we can do to avoid this issue. Sorry.

3

Re: Security Issue with server having iRedMail

Thanks Zhang!

We will update our servers and come back if that helps in the mean time any other precaution measures are welcome specially when we are using iredmail server only for emails and not for hosting any web site.

Regards,

PineMail11

4

Re: Security Issue with server having iRedMail

PineMail11 wrote:

we are using iredmail server only for emails and not for hosting any web site.

It might be a good idea to disable or remove unnecessary mail accounts, set complex passwords for existing accounts.