This is the second patch in the 5.X series of @Mail in PHP, which includes only code enhancements and workarounds from the previous 5.01 release.The upgrade procedure of @Mail has changed, you can upgrade to the 5.02 release from any previous PHP 5.X version. There is no need to do each version upgrade patch in order. The upgrade script will detect which version is installed and upgrade the system accordingly.
This is the first patch in the 5.X series of @Mail in PHP, with nearly 2 months of end-user feedback and customer suggestions.For a complete changelog on the new version see: http://support.atmail.com/changelog.html
After restarting @Mail via the sysv init, or init.d, you may have some errors with the clamdsocket not being able to connect. It looks like this:
malware acl condition: clamd: unable to connect to UNIX socket /usr/local/atmail/av/clamdsocket (Connection refused)
This may be caused by a stale clamd socket not being deleted. To fix, you can go through the following steps:
Dear @Mail-Team,I found a security hole in your web application "@Mail" version 5.0.
I will try to disclose more details to you.
The severity is moderated but should be fixed as soon as possible.
More Details
============
Cross Site Scripting:
Input passed directly to the "username" parameter in "atmail.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Workaround
=============
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags
are not going to be executed.
Example:
$username = htmlentities($_POST['username']);
$test = htmlspecialchars($_GET('test'));
?>
Sincerly,
David Vieira-Kurz
(Security Researcher, majorsecurity.de)
For high-traffic installations of @Mail (installation that get more than 5 messages a second; 300 a minute), the SMTP processes can be slow. You may decide to use an external Spam-filtering/Antivirus machine; if so, we recommend that you implement Exim via the following steps:Streamline Exim:
- open up your /usr/local/atmail/mailserver/configure file;
- add the following line at the top:
queue_only
- save changes, then find the following line:
timeout_frozen_after = 7d
- change this to:
timeout_frozen_after = 2d
- save changes, then go to the WebAdmin.
- in WebAdmin > Services > SMTP Settings, set "Max Queue Processes" to "1"
- afterwards, set "Remote Parallel Processes" to "1"
- turn off AV in Filters > Antivirus Settings
- turn off SpamAssassin in Filters > Anti-Spam Settings
- kill all Exim processes, and start it via the following command:
% killall -9 exim % /usr/local/atmail/mailserver/bin/exim -bd -q15m
Put the Exim db directory in a Ramdisk:
- execute the following in the terminal:
% mount -t tmpfs /dev/shm /usr/local/atmail/mailserver/spool/db/
- verify the permissions:
% chown -R atmail /usr/local/atmail/mailserver/spool/db
This will then create a mount on the db directory via the Virtual Memory mount; ultimately making access times faster.
Miscellany:
- it is generally best to have Exim and MySQL reside on the same server;
- you can further improve the performance by a cronjob-run Exim -q implementation:
--snip--
#!/usr/bin/perl
my $smtp = `ps auxww | grep "exim -q"`;
if(!$smtp) {
print "SMTP queue running...n";
system("/usr/local/atmail/mailserver/bin/exim -q");
}
--snip--
- benchmarks have been run for this implementation on a 64-bit 1.8 Ghz Core 2 machine, 2 GB of RAM, 7200 RPM IDE HD. Peaks have reached 4,000 messages and 20,000 connections a minute. Performance averaged at 50 messages a second.