Recent Posts

71

Koozali SME Server 10.x / Re: IMAP pam Authentication error after unexpected server restart

« Last post by Jean-Philippe Pialasse on July 05, 2025, 02:35:59 PM »

check audit log for error issued by pam.

is it for all users or only one?

72

General Discussion / Re: rewrite issue

« Last post by mmccarn on July 05, 2025, 01:05:24 PM »

If you suspect your htaccess file you could try this online htaccess tester: https://htaccess.madewithlove.com/

I found the tester above in this stackoverflow question:

Tips for debugging .htaccess rewrite rules
Asked 13 years, 5 months ago
Modified 6 months ago
Viewed 147k times

73

Koozali SME Server 10.x / IMAP pam Authentication error after unexpected server restart

« Last post by ldkeen on July 05, 2025, 08:14:16 AM »

Hi,
I'm running Smeserver 10.1 fully up to date. We had a power outage a few days ago and lost Internet connection so someone decided to restart the server. After we appeared to be up and going we started getting reports that all users were unable to login to their (IMAP) email.  I checked via webmail and received the following message:

Login failed because your username or password was entered incorrectly.

I then checked the logfiles and heaps of the following errors:

auth-worker(7702): pam(user,127.0.0.1,<Vwbd2yc5UKJ/AAAB>): pam_authenticate() failed: Authentication failure (password mismatch?)


After many hours of googling and checking files against working installs I found a post detailing how to change authentication from "pam" to "shadow". I modified /etc/dovecot/dovecot.conf and changed the following line:

Code: [Select]

passdb {
  driver = pamto use shadow as such:

Code: [Select]

passdb {
  driver = shadow
followed by:

Code: [Select]

systemctl stop dovecot.service
systemctl start dovecot.service
And now it's working:

imap-login: Login: user=<user>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9883, secured, session=<ogCHJyg5xqZ/AAAB>

I've tried to reinstall dovecot and smeserver-dovecot but still cant get pam authentication to work. Does anyone have any ideas what might have happened or any other options to try. It's working at the moment but I'd like to put it back to the default pam authentication. I'm worried about the security implications of using "shadow" to authenticate?

Regards, Lloyd

74

Français / Re: possible exploit

« Last post by Jean-Philippe Pialasse on July 05, 2025, 01:04:17 AM »

wp plugin vulnerability and so on
https://vulners.com/nuclei/NUCLEI:CVE-2024-12209
https://vulners.com/nuclei/NUCLEI:CVE-2025-2294

75

Français / Re: possible exploit

« Last post by Jean-Philippe Pialasse on July 04, 2025, 10:54:29 PM »

trouve la ligne en question dans tes logs.
tente de les reproduire. et le résultat 404 vs 200
verifie si l'ibay en question a un phpbasedit activé et son contenu.

dur a dire rien qu'avec un rapport de ce type

76

General Discussion / Re: rewrite issue

« Last post by Jean-Philippe Pialasse on July 04, 2025, 10:47:09 PM »

looking at your htaccess ?

77

Français / possible exploit

« Last post by gieres on July 03, 2025, 10:16:32 PM »

Bonjour,
Je m'inquiète de ce rapport journalier :

Code: [Select]

A total of 5 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /?umbrella-restore=1&filename=../../../../../../etc/passwd HTTP Response 200
    /?InternalDir=%5C..%5C..%5C..%5C..%5Cetc&InternalFile=passwd HTTP Response 200
    /?__kubio-site-edit-iframe-preview=1&__kubio-site-edit-iframe-classic-template=../../../../../../../../etc/passwd HTTP Response 200
    /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP Response 200
    /?UrkCEO/edit&theme=margot&squelette=../../../../../../etc/passwd&style=margot.css HTTP Response 200
Ai-je tort ?
D'avance merci.

78

General Discussion / rewrite issue

« Last post by jameswilson on July 03, 2025, 06:25:03 PM »

Not a SME Issue but ive noticed a significat drop in traffic
Anyhow ive found out some pages are causing errors this is one of them
https://www.securitywarehouse.co.uk/catalog/intruder-alarm-equipment-c-36/movement-detectors-c-36_116/all-c-36_116_37/bosch-blue-line-gen2-pet-friendly-passiveinfrared-detector-p-2292.html

and the error shown is www.securitywarehouse.co.uk redirected you too many times.

im assuming i have a setting error in htaccess but i have no clue where to start
Any pointers please

Ta
James

79

Koozali SME Server 10.x / Re: Bulk mail delete ?

« Last post by ReetP on July 03, 2025, 06:01:37 PM »

If you don't delete the old data in the EU you can be required to produce it in litigation -- or simply by a disgruntled customer asking your country's data authority to demand it of you.
 (Storage may be cheap, but GDPR penalties or lawsuits probably aren't...)

Yup, but regrettably we often have to refer back to stuff more than 6 years. (it's a bit obscure as to why, but it happens - and frequently users don't write things down.... paperless offices and all that jazz)

Yes, we may have to produce it for GDPR - we're UK/EU, but I have no qualms about anything we hold and the penalties are really for when you can't, don't, or won't supply it, rather than when you can.

So holding it isn't really an issue for us.

From that I've created this quick command to move emails older than a specified date  for each user into a new "Archived" folder, so you could see what gets moved.

That really will be handy as I move stuff to archived folders by year split with Sent and Received - mainly to keep the folder sizes down for Thunderbird.

Be nice to script that!

80

Koozali SME Server 10.x / Re: Bulk mail delete ?

« Last post by mmccarn on July 03, 2025, 04:26:30 PM »

I don't delete anything. Storage is cheap.....

If you don't delete the old data in the EU you can be required to produce it in litigation -- or simply by a disgruntled customer asking your country's data authority to demand it of you.
 (Storage may be cheap, but GDPR penalties or lawsuits probably aren't...)

* imapsync
My most recent (albeit still at least 7 years old) notes on installing imapsync onto a SME server

Code: [Select]

  #IMAPSYNC v1.5.x
  cd /var/git/imapsync & git pull
  # https://github.com/imapsync/imapsync
  # GIT REPO https://github.com/imapsync/imapsync.git(presumably I had done mkdir -p /var/git; cd /var/git; git pull https://github.com/imapsync/imapsync.git

* fancy bash script
I created a script many years ago to move suspicious emails within each user's Maildir: rbl-recheck.sh

From that I've created this quick command to move emails older than a specified date  for each user into a new "Archived" folder, so you could see what gets moved.

* ARCHIVETO must start with "." and should not have spaces
* ARCHIVEDATE can be any valid argument to "date -d" -- for example "5 years ago"
* Change "DEBUG=echo" to "DEBUG=" to actually run the commands instead of listing them

It should be reasonably simple to modify this to move the archived emails to a totally different mailbox, if that's what you wanted to do...

Code: [Select]

ARCHIVETO=".Archived"; \
ARCHIVEDATE="1/1/2023"; \
DEBUG=echo; \
find /home/e-smith/files/users \
-type f \
-not -path $ARCHIVETO \
-daystart \
\( -path */cur/* -or -path */new/* -or -path */tmp/* \) \
-not -newermt $(date +%Y-%m-%d -d "$ARCHIVEDATE") \
-print0 |\
while read -d $'\0' MAILFILE; do \
if [[ $MAILFILE == */Maildir/cur/* ]]; then \
  if [ ! -d "${MAILFILE/Maildir?cur*/Maildir/$ARCHIVETO/cur}" ]; then  \
    $DEBUG mkdir -p "${MAILFILE/Maildir?cur*/Maildir/$ARCHIVETO/{cur,new,tmp}}" ; \
    $DEBUG chown -R $(stat -c \"%U:%G\" $MAILFILE) "${MAILFILE/Maildir?cur*/Maildir/$ARCHIVETO}" ;\
  fi ; \
  $DEBUG mv "$MAILFILE" "${MAILFILE/Maildir?cur/Maildir/$ARCHIVETO/cur}"; \
fi ; \
done
* Notes & Vague Memories
- Email folder names must start with a dot to be recognized - eg ".Archived"
- Email folders must contain all three of /cur/, /new/, and /tmp/ to be recognized
- All of the folders must be "owned" by the user accessing the mailbox

I had another script on a Kerio Connect server that scanned the email folders and output email stats - date, from, to, subject, etc -- if that sounds useful let me know.