1

Topic: Changing All Passwords and iRedmail Security

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12.04
- Related log if you're reporting an issue:
====

I have a few questions related to iRedmail security.

- Is it installed in the most optimized way in terms of security ? If No, what more can be done to make it secure further.

- I am in a process of changing all passwords of my server. What passwords do I need to change if I change MySQL root password.  Following are the dbs created / associated with iredmail on a fresh ubuntu installation.

amavisd
cluebringer
information_schema
iredadmin
mysql
performance_schema
phpmyadmin
roundcubemail
vmail

Can you please point us to the files where details of the above are stored.

Will truely appreciate any help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Changing All Passwords and iRedmail Security

sami1255 wrote:

- Is it installed in the most optimized way in terms of security ? If No, what more can be done to make it secure further.

Define "security" please.

sami1255 wrote:

- I am in a process of changing all passwords of my server. What passwords do I need to change if I change MySQL root password.  Following are the dbs created / associated with iredmail on a fresh ubuntu installation.
amavisd
cluebringer
information_schema
iredadmin
mysql
performance_schema
phpmyadmin
roundcubemail
vmail
Can you please point us to the files where details of the above are stored.

- Backup scripts under /var/vmail/backup/ uses MySQL root password.
- Passwords of SQL user (vmail, vmailadmin, amavisd, roundcube, policyd, cluebringer) were generated randomly, no others knows them except yourself. It's not necessary to change them.

3

Re: Changing All Passwords and iRedmail Security

- By security I meant, basic secure set up for example; directory listing in apache, disabling apache, php versions on error pages. etc.


- I want to change default sql username "root" to something else. What else in iredmail is supposed to be changed ?

- If my server is compromised because of whatever, changing passwords of all these dbs and config files related to iredmail would be necessary right ? if yes, any guidance would be truly appreciated.

4

Re: Changing All Passwords and iRedmail Security

sami1255 wrote:

- By security I meant, basic secure set up for example; directory listing in apache, disabling apache, php versions on error pages. etc.

All 3 you mentioned are done in iRedMail by default. Also, clients are forced to use IMAPS/POP3S (IMAP/POP3 over STARTTLS), and HTTPS for webmail.

sami1255 wrote:

- I want to change default sql username "root" to something else. What else in iredmail is supposed to be changed ?

Just /var/vmail/backup/*.sh.

sami1255 wrote:

- If my server is compromised because of whatever, changing passwords of all these dbs and config files related to iredmail would be necessary right ? if yes, any guidance would be truly appreciated.

All config files mentioned in file "iRedMail.tips" which generated during iRedMail installation, under iRedMail directory. e.g. /root/iRedMail-0.8.3/iRedMail.tips.