Nextcloud integration revised

For a while now, we’ve been offering Nextcloud integration app that lets you have Afterlogic WebMail used as a solid part of Nextcloud environment. You can specify WebMail installation URL, users supply their email/password in settings, and upon clicking “Afterlogic” icon they’re automatically logged into WebMail.

This worked like a charm, but all of a sudden, with Nextcloud update to v21.0.1, attempts to log into WebMail resulted in rather scary “Internal Server Error”. We were honestly puzzled by this error, and as far as we could tell, the error only occurred when trying to include PHP API library of WebMail.

Upon researching this further, we have decided that the best way to circumvent the problem is get rid of using PHP API altogether and switch to using Web API instead – WebMail itself uses it internally for pretty much all the requests.

We have just released v2.0.1 of Nextcloud connector. The bonus part is, those upgrading from previous versions will not have to reconfigure anything, it’ll work for them as expected – assuming they have Nextcloud and WebMail in the same domain. If you have them in different domains or even on different servers, POST authentication option is available for you.

The source code is available on GitHub, and we welcome your feedback there!

Office files viewer in Afterlogic WebMail and Aurora

To view files of office document formats such as .DOC or .XLSX, WebMail Pro and Aurora Corporate use an online viewer from Microsoft.

If you experience issues with viewing those files, you can try switching to a viewer from Google.

In data/settings/modules/OfficeDocumentViewer.config.json file, set ViewerUrl value as follows:

"ViewerUrl": [
    "https:\/\/docs.google.com\/gview?url=",
    "string"
]

Please note that in either case, your WebMail/Aurora installation needs to be accessible over the web, so that online viewer can have access to it.

We’re currently working on version 8.8 of WebMail Pro and Aurora Corporate. The new version will feature editing and viewing office documents with OnlyOffice Docs, so it will no longer be needed to rely on external document viewer. Stay tuned!

ClamAV antivirus update for v7 of MailSuite/Aurora

If you’re using version 7 of MailSuite Pro or Aurora (MTA package), you may run into an issue when updating ClamAV databases with freshclam tool. In such case, ClamAV needs to be updated.

The process should take about 5 minutes. ClamAV needs to be stopped first (and while it’s stopped mails cannot be delivered):
/opt/afterlogic/etc/init.d/clamav.rc stop

Upgrading instructions are as follows:
cd /tmp
mkdir clamav-update && cd clamav-update
wget https://afterlogic.com/download/afterlogic-clamav-update.tar.bz2
wget https://afterlogic.com/download/afterlogic-clamav-backup.sh

chmod +x afterlogic-clamav-backup.sh
./afterlogic-clamav-backup.sh
tar jxvf afterlogic-clamav-update.tar.bz2 -C /opt/afterlogic/
/opt/afterlogic/bin/freshclam

If you’re getting a following error message:
/opt/afterlogic/bin/freshclam: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory

run the following commands:
yum install pcre2 -y
/opt/afterlogic/bin/freshclam


Start ClamAV:
/opt/afterlogic/etc/init.d/clamav.rc start

If you run into an issues while performing an upgrade, feel free to request assistance at https://s.afterlogic.com/helpdesk/

Addressing DAV-related vulnerability in WebMail and Aurora

One of our valued customers reported a vulnerability in our products, that potentially allows uploading and executing arbitrary files via built-in DAV server used in WebMail Pro and Aurora Corporate. We’re now releasing updates for our products closing this vulnerability, and strongly recommend to upgrade your installations to the latest version.

Below, you’ll find recommendations on how to address the issue on your existing installation of WebMail Pro or Aurora. Please note that while these changes were only tested with version 8.5.3, they should work for previous versions as well.

Before we proceed, we’d like to point out that disabling DAV access on the installation effectively closes the vulnerability, too. That’s done by setting Disabled to true in data/settings/modules/Dav.config.json file. Note that this will not affect the use of web interface or Aurora Mail / Aurora Files mobile apps as they work via API, not DAV. If you’d rather keep DAV enabled, please follow the below guidelines.

  1. In vendor/afterlogic/dav/lib/DAVServer.php file, locate function exec() and replace its code with:
public function exec()
{
    $sRequestUri = empty($_SERVER['REQUEST_URI']) ? '' : \trim($_SERVER['REQUEST_URI']);

    if ($this->isModuleEnabled('Dav') && !strpos(urldecode($sRequestUri), '../'))
    {
        parent::exec();
    }
    else
    {
        echo 'Access denied';
    }
}

2. In vendor/afterlogic/dav/lib/DAV/Auth/Backend/Basic.php file, locate validateUserPass function and replace the line:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid())	
with:
if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid() && $sUserName !== \Afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \Afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

3. Similarly, in vendor/afterlogic/dav/lib/DAV/Auth/Backend/Digest.php file, locate getDigestHash function and replace the line:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid())

with:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid() && $sUserName !== \Afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \Afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

Since some of our clients still use previous v7 of WebMail and Aurora, we chose to issue a security update for those as well. Note that if you don’t use DAV, you can simply disable it by setting EnableMobileSync to Off in data/settings/settings.xml file.

  1. In libraries/afterlogic/DAV/Server.php file, before the closing “}” add the following function:
public function exec()
{
    $sRequestUri = empty($_SERVER['REQUEST_URI']) ? '' : \trim($_SERVER['REQUEST_URI']);
    if (!strpos(urldecode($sRequestUri), '../'))
    {
        parent::exec();
    }
    else
    {
        echo 'Access denied';
    }
}

2. In libraries/afterlogic/DAV/Auth/Backend/Basic.php file, locate validateUserPass function and replace the line:

if (class_exists('CApi') && \CApi::IsValid())

with:

if (class_exists('CApi') && \CApi::IsValid() && $sUserName !== \afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

3. Similarly, in libraries/afterlogic/DAV/Auth/Backend/Digest.php file, locate getDigestHash function and replace the line:

if (class_exists('CApi') && \CApi::IsValid())

with:

if (class_exists('CApi') && \CApi::IsValid() && $sUserName !== \afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

Should you require any assistance, please don’t hesitate to contact us.

Using DAV sync on cPanel

One of the most attractive features of Afterlogic WebMail Pro and Aurora Corporate is mobile sync, it lets you access your contacts and calendars using a variety of mobile and desktop applications. For instance, you can use emClient on Windows – and on iOS, DAV sync is supported natively.

To make DAV sync work, webserver reconfiguration may be needed. Note that for WebMail Pro, the product has to be installed from ZIP package – using cPanel installer won’t allow for using advanced features like DAV access.

It’s quite common for our webmail products to be installed on hosting servers powered by cPanel. Even though reconfiguring webserver directly isn’t exactly an option, it’s still possible to make use of DAV there. As a part of WebMail Pro and Aurora Corporate packages, .htaccess file is shipped, and the following section of that file should make it possible to use DAV access.

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

By default, DAV access is performed via URL that’s obtained by appending /dav.php/ to the product installation URL. For some DAV clients, however, that’s not going to work, including CalDAV client on iOS devices – it needs a dedicated subdomain or port used for DAV access.

Fortunately, it’s fairly easy to do that, even without being able to play with web server configuration files.

  1. Create dav directory in WebMail/Aurora installation root.
  2. Using cPanel web interface, create a subdomain pointing to dav/ directory of WebMail Pro, you can name it dav.yourdomain.com or something like that.
  3. Copy dav.php file into dav/ directory, rename it into index.php, and modify its include_once line as follows:

    include_once '../system/autoload.php';

  4. Copy .htaccess file from WebMail Pro root to dav/ directory.
  5. Specify new URL in Mobile Sync area of admin interface, or directly in data/settings/modules/Dav.config.json file, ExternalHostNameOfDAVServer parameter.

Sample app for Nextcloud

When working on Nextcloud connector for Afterlogic WebMail to make it compatible with Nextcloud version 19, we considered a complete rewrite of the application. What we couldn’t find was a really basic “Hello world” kind of application we could start from. And to make things work, we had to create such an application ourselves.

Now that the application is released, we thought it may be worth sharing such a sample with the community, for those interested in making their apps for Nextcloud.

We’ve published a sample application on Github, and README.md file there provides the guidelines on the application structure, minimum requirements for an application, and tips on using IFrame integration approach.

Hope you find this sample useful for your needs. If you have any comments or suggestions, please feel free to post them at the issue tracker.

Vulnerability closed in WebMail and Aurora: Remote Stored XSS in attachment’s name

The primary reason for releasing version 8.3.14 recently was to provide a fix for XSS vulnerability.  Thank you, Mariusz Popławski (afine.pl team) for reporting the vulnerability.

We’ve had CVE ID assigned for this vulnerability and expect CVE database update shortly. If you’re running a previous version of WebMail Pro or Aurora, upgrading to the latest version is strongly advised.

WebMail ProUpgrading instructions

Aurora CorporateUpgrading instructions

cPanel installer for Afterlogic WebMail updated

In the recent cPanel update, webmail integration was significantly rewritten, which caused some incompatibility with our WebMail, resulting in showing 404 errors. And since the top bar in cPanel in the interface no longer there above WebMail interface, users were unable to get back to webmail interface selection.

We worked together with cPanel support on this, they were really helpful, and we’ve just updated the installer for WebMail. Be sure to delete the original installer you have, and download it per instructions for WebMail Lite and WebMail Pro respectively.

Users will notice “WEBMAIL HOME” button displayed next to “Settings” and “Logout” button. The same button will be shown at the bottom of WebMail login page, should the user log out of WebMail.

The installer was tested on previous and current versions of cPanel, with both fresh install and upgrade of an existing WebMail setup.

Please bear in mind that cPanel installer offers a fully automated way to install the product on cPanel server. However, this installation method doesn’t allow for using advanced features of the product, such as API calls, configuring login page, etc. To be able to use the full set of WebMail Lite features, installing from ZIP package is strongly recommended. Detailed instructions are available for WebMail Lite and WebMail Pro.

 

CVE-2019-16928 fix for MailSuite Pro and Aurora MTA edition

The following steps should be taken to fix CVE-2019-16928 vulnerability in Exim SMTP mail server:

Stop the server and backup the original executables:

/opt/afterlogic/etc/init.d/exim.rc stop
mkdir /home/bk_exim
cp /opt/afterlogic/bin/exi* /home/bk_exim

Download the fix:

wget https://afterlogic.com/download/exim4923.tar.bz2

Unpack it and restart the server:

tar jxvf exim4923.tar.bz2 -C /opt/afterlogic/
chown afterlogic:afterlogic /opt/afterlogic/bin/exi*
/opt/afterlogic/etc/init.d/exim.rc start

It’s recommended to recheck that /etc/ld.so.conf file contains the following path:

/opt/afterlogic/lib

If it’s not there, add the line and run ldconfig command.

Using Web API of Afterlogic WebMail and Aurora

Both WebMail Pro and Aurora Corporate offer powerful Web API which allows external applications to communicate with the product backend and perform various tasks. In essense, it can be used to replace our frontend with your own one, or just access user’s account from another application.

Web API introduction offers samples in C# and JavaScript, but this time we’re going to demonstrate sample PHP application which logs into user account. A starting point of any interaction with user’s account is getting authentication token, and that’s what we’ll do.

First, let’s get us a function which will be used to send web requests to WebMail installation. Unlike PHP API, this can be done against a remote server just fine.

function get_data($url, $vars)
{
    $ch = curl_init();
    $timeout = 20;
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
    curl_setopt($ch, CURLOPT_POSTFIELDS, $vars);
    $data = curl_exec($ch);
    curl_close($ch);
    return $data;
}

Sending the request looks like this:

$url = "http://webmail.domain.com/?/Api/";
$acct = array ("Login"=>"user@domain.com", "Password"=>"UserPassWord");
$vars = array("Module" => "Core", "Method" => "Login", "Parameters" => json_encode($acct));
$data = json_decode(get_data($url, $vars), TRUE);

And depending on the response, we either get a token or return error:

if ($data!==NULL) {
    if (isset($data["Result"]["AuthToken"])) {
       echo "Authenticated. Token: ".$data["Result"]["AuthToken"];
    } else {
       echo "Authentication failure. ";
       if (isset($data["ErrorCode"])) echo "Error code: ".$data["ErrorCode"];
    }
} else {
    echo "Invalid response format";
}

You can find complete Web API reference here.