suitable webmail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
42 messages Options
123
kbh
Reply | Threaded
Open this post in threaded view
|

suitable webmail

kbh
hi all
of course this is a non postfix topic; but i'd like to know from the experienced which webmail is best for a postfix pop server
i'd also have it configured for user soft quota
guidance appreciated

thanks

Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

Carlwill
On Mon, Feb 1, 2010 at 10:52 AM, K bharathan <[hidden email]> wrote:
> hi all
> of course this is a non postfix topic; but i'd like to know from the
> experienced which webmail is best for a postfix pop server
> i'd also have it configured for user soft quota
> guidance appreciated

Postfix is not the POP/IMAP server. Postfix is the MTA generally for
SMTP. IMAP and POP are handled by popular daemons such as Dovecot and
Courier.

95% of the responses will be Squirrelmail.

http://squirrelmail.org/

I recommend and prefer Roundcube.

http://roundcube.net/

Both have great Postfix / Dovecot integration.
Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

Luis Daniel Lucio Quiroz-2
Le Lundi 1 Février 2010 10:04:20, Carlos Williams a écrit :

> On Mon, Feb 1, 2010 at 10:52 AM, K bharathan <[hidden email]> wrote:
> > hi all
> > of course this is a non postfix topic; but i'd like to know from the
> > experienced which webmail is best for a postfix pop server
> > i'd also have it configured for user soft quota
> > guidance appreciated
>
> Postfix is not the POP/IMAP server. Postfix is the MTA generally for
> SMTP. IMAP and POP are handled by popular daemons such as Dovecot and
> Courier.
>
> 95% of the responses will be Squirrelmail.
>
> http://squirrelmail.org/
>
> I recommend and prefer Roundcube.
>
> http://roundcube.net/
>
> Both have great Postfix / Dovecot integration.
roundcube if you want a fancy eye candy webmail
Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

Rene Bakkum
Luis Daniel Lucio Quiroz wrote:

> Le Lundi 1 Février 2010 10:04:20, Carlos Williams a écrit :
>  
>> On Mon, Feb 1, 2010 at 10:52 AM, K bharathan <[hidden email]> wrote:
>>    
>>> hi all
>>> of course this is a non postfix topic; but i'd like to know from the
>>> experienced which webmail is best for a postfix pop server
>>> i'd also have it configured for user soft quota
>>> guidance appreciated
>>>      
>> Postfix is not the POP/IMAP server. Postfix is the MTA generally for
>> SMTP. IMAP and POP are handled by popular daemons such as Dovecot and
>> Courier.
>>
>> 95% of the responses will be Squirrelmail.
>>
>> http://squirrelmail.org/
>>
>> I recommend and prefer Roundcube.
>>
>> http://roundcube.net/
>>
>> Both have great Postfix / Dovecot integration.
>>    
> roundcube if you want a fancy eye candy webmail
>  
I think the OP asked about a solution with pop server and not with imap.
I don't know for sure if squirrelmail uses imap only, but I know
roundcube does...
I am personally a roundcube guy, but the only pop freeware pop webmail I
know is Openwebmail.
http://openwebmail.org/


Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

j debert
In reply to this post by kbh
it seems that roundcube is popular.

It seems to be most popular among bots as well, according to what my
apache logs say. I don't have roundcube but there are frequent
attempts to get to php scripts down in the roundcube directories. I'd
probably see orders of magnitude more if it weren't for fail2ban. I
wonder what it is that makes it so popular?

--
jd
==

Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

Lister
On 01/02/10 17:09, j debert wrote:
> it seems that roundcube is popular.
>
> It seems to be most popular among bots as well, according to what my
> apache logs say. I don't have roundcube but there are frequent
> attempts to get to php scripts down in the roundcube directories. I'd
> probably see orders of magnitude more if it weren't for fail2ban. I
> wonder what it is that makes it so popular?

In my job (hosting company) I see boxes exploited via roundcube all the
time.  Squirrelmail? Not one so far.  Part of the reason is that
squirrelmail comes with RHEL, so it's kept up to date automatically,
while customers install their own roundcube and then don't maintain it.
  That said, it's not the only webmail client (or any other web app)
that gets the install&neglect treatment, it's just the one most
frequently exploited.

So if you want to run it, be diligent about keeping it up to date, and
use something like fail2ban.

K
Reply | Threaded
Open this post in threaded view
|

[OT] Re: suitable webmail

Terry Carmen
Quoting Kay <[hidden email]>:

> On 01/02/10 17:09, j debert wrote:
>> it seems that roundcube is popular.
>>
>> It seems to be most popular among bots as well, according to what my
>> apache logs say. I don't have roundcube but there are frequent
>> attempts to get to php scripts down in the roundcube directories. I'd
>> probably see orders of magnitude more if it weren't for fail2ban. I
>> wonder what it is that makes it so popular?
>
> In my job (hosting company) I see boxes exploited via roundcube all  
> the time.  Squirrelmail? Not one so far.  Part of the reason is that  
> squirrelmail comes with RHEL, so it's kept up to date automatically,  
> while customers install their own roundcube and then don't maintain  
> it.  That said, it's not the only webmail client (or any other web  
> app) that gets the install&neglect treatment, it's just the one most  
> frequently exploited.

Squirrelmail works nicely, as does Horde, which seems to be quite a  
bit more complete (integrated calendar, sharing,etc.), however I  
wouldn't put any web app out on the net without using SSL, HTTP Auth  
and faiil2ban in front of it. Hacks are much more difficult if the  
attacker can't get to the application directory without a valid login.

The http auth box is ugly and somewhat annoying, however there's a lot  
to be set for a very stable, low-level, simple authentication mechanism.

Terry

Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

mouss-4
In reply to this post by j debert
j debert a écrit :
> it seems that roundcube is popular.
>
> It seems to be most popular among bots as well, according to what my
> apache logs say. I don't have roundcube but there are frequent
> attempts to get to php scripts down in the roundcube directories. I'd
> probably see orders of magnitude more if it weren't for fail2ban. I
> wonder what it is that makes it so popular?
>

you mean things like
        GET /roundcube-0.2//bin/msgimport
        GET /round//bin/msgimport
        ..

they're looking for old versions.. See
http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/
http://stateofsecurity.com/?p=550


Funnily enough, they don't try SSL.  (note that enforcing SSL for any
web mail application is a good practice)
Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

fakessh @
On Mon, 01 Feb 2010 20:39:49 +0100, mouss <[hidden email]> wrote:

> j debert a écrit :
>> it seems that roundcube is popular.
>>
>> It seems to be most popular among bots as well, according to what my
>> apache logs say. I don't have roundcube but there are frequent
>> attempts to get to php scripts down in the roundcube directories. I'd
>> probably see orders of magnitude more if it weren't for fail2ban. I
>> wonder what it is that makes it so popular?
>>
>
> you mean things like
> GET /roundcube-0.2//bin/msgimport
> GET /round//bin/msgimport
> ..
>
> they're looking for old versions.. See
> http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/
> http://stateofsecurity.com/?p=550
>
>
> Funnily enough, they don't try SSL.  (note that enforcing SSL for any
> web mail application is a good practice)


the current version of roundcube (0.3.1) does not work with the current
mod_security

I failed to get along with the rules of mod_security.
I simply removed.
I just read the security alert and I just delete msgimport.sh
Reply | Threaded
Open this post in threaded view
|

Re: [OT] suitable webmail

Giuseppe De Nicolo'
In reply to this post by Lister
On 02/01/2010 06:49 PM, Kay wrote:
> On 01/02/10 17:09, j debert wrote:
>> it seems that roundcube is popular.
>>
>> It seems to be most popular among bots as well, according to what my
>> apache logs say. I don't have roundcube but there are frequent
>> attempts to get to php scripts down in the roundcube directories. I'd
>> probably see orders of magnitude more if it weren't for fail2ban. I
>> wonder what it is that makes it so popular?
Well I admit Im one of those guy using it, ( of course I m not an
hosting company) though the reason for which I do use it is because it
has decent features ( well for a webmail app is not an organizer thats
sure ) , and a very pleasant interface . I used squirrelmail before it
it worked very well though my user did complain about its ugly
interface. I also considered Horde but to be honest its seems to me an
overkill as a webmail client while roundcube is an easy and fast setup (
even to mantain ). So I gues those 2 points make it popular, altho I see
your point

>
> In my job (hosting company) I see boxes exploited via roundcube all
> the time.  Squirrelmail? Not one so far.  Part of the reason is that
> squirrelmail comes with RHEL, so it's kept up to date automatically,
> while customers install their own roundcube and then don't maintain
> it.  That said, it's not the only webmail client (or any other web
> app) that gets the install&neglect treatment, it's just the one most
> frequently exploited.
>
> So if you want to run it, be diligent about keeping it up to date, and
> use something like fail2ban.
>
> K
>
Well I agree with you there I was a bit worried bout its security, I
have also to admit I have 0.3.0 stable since almost 6 month and just
recently I' have seen come up 0.3.1 ( wich I happen to have updated
recently ) release while I m seeing lot of security alert bout it.

So the point is I would love to keep using squirrelmail but it really
looks old ( don't shot me I like it ) to my users.
Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

Stan Hoeppner
In reply to this post by Carlwill
Carlos Williams put forth on 2/1/2010 10:04 AM:

> I recommend and prefer Roundcube.
>
> http://roundcube.net/

+1

If you're going to offer webmail, you may as well offer IMAP folders instead of
POP.  JMHO.

I'm an ex Squirrelmail user and switched to Roundcube, mainly for the nicer user
interface.  My Roundcube connects to Dovecot IMAP on the local machine.  IIRC,
when I logged in the first time it grabbed all the IMAP folders automatically.
Back when I originally setup Squirrelmail years ago, I had to subscribe all the
folders manually.  I'm not sure if this is true of the most recent Squirrelmail
though.

Other than Roundcube, for a really nice modern AJAX interface, take a look at
SOGo.  The thing that really impresses me is the right click context menus like
those available in Thunderbird or other GUI mail clients.

I ended up going with Roundcube as I thought SOGo was a bit "heavy" for my
needs.  Give the demo a go and see what you think:

http://www.scalableogo.org/english/tour/online_demo.html

--
Stan
Reply | Threaded
Open this post in threaded view
|

[OT] suitable webmail

Stan Hoeppner
In reply to this post by Lister
Kay put forth on 2/1/2010 11:49 AM:

> In my job (hosting company) I see boxes exploited via roundcube all the
> time.  Squirrelmail? Not one so far.  Part of the reason is that
> squirrelmail comes with RHEL, so it's kept up to date automatically,
> while customers install their own roundcube and then don't maintain it.

I think you're making some incorrect assumptions.  Squirrelmail has had a pretty
abysmal security track record of its own over the years.  One reason for that is
probably exactly what you're calling out Roundcube for here, which has nothing
to do with the software, but the administration of the system.  That said, you
appear to think the world runs on Red Hat, and if Red Hat doesn't have a
Roundcube package, admins will install from source or an external RPM that
doesn't get updated by Red Hat's uptodate or whatever it's called.  The world
doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other)
packages up to date.  For instance, I do security updates on my Debian servers
once a week.  My Roundcube package is currently up to date, and it is a standard
Debian package:

[02:21:52][root@greer]/$ aptitude show roundcube
Package: roundcube
New: yes
State: installed
Automatically installed: no
Version: 0.2.2-1~bpo50+1
Priority: extra
Section: web
Maintainer: Debian Roundcube Maintainers
<[hidden email]>
Uncompressed Size: 94.2k
Depends: roundcube-core (= 0.2.2-1~bpo50+1)
Description: skinnable AJAX based webmail solution for IMAP servers - metapackage

>  That said, it's not the only webmail client (or any other web app) that
> gets the install&neglect treatment, it's just the one most frequently
> exploited.

Do you have any empirical data showing that Roundcube is exploited more often
today than Squirrelmail?  Claims like this really need to be backed up.  Data
for only your data center doesn't count, the sample size is way too small.  This
is called "anecdotal" evidence, not empirical evidence.

--
Stan


Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

Jaroslaw Grzabel
In reply to this post by kbh
K bharathan wrote:
> hi all
> of course this is a non postfix topic; but i'd like to know from the
> experienced which webmail is best for a postfix pop server
> i'd also have it configured for user soft quota
> guidance appreciated
I would add from my side... Horde IMP. If you need good replacement for
Microsoft Outlook, Horde will definitely meet all your requirements...
and default interface is compatible with mobiles so you can have very
light version of webmail. Configuration is a bit pain but configured
once stays online forever ;-).
> thanks
>
Regards,
Jarek

Reply | Threaded
Open this post in threaded view
|

Re: [OT] suitable webmail

Charles Marcus
In reply to this post by Stan Hoeppner
On 2010-02-01 4:05 PM, Stan Hoeppner wrote:
> My Roundcube package is currently up to date, and it is a standard
> Debian package:
>
> [02:21:52][root@greer]/$ aptitude show roundcube
> Package: roundcube
> New: yes
> State: installed
> Automatically installed: no
> Version: 0.2.2-1~bpo50+1

Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'?

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: [OT] suitable webmail

fakessh @
On Mon, 01 Feb 2010 17:17:49 -0500, Charles Marcus
<[hidden email]> wrote:

> On 2010-02-01 4:05 PM, Stan Hoeppner wrote:
>> My Roundcube package is currently up to date, and it is a standard
>> Debian package:
>>
>> [02:21:52][root@greer]/$ aptitude show roundcube
>> Package: roundcube
>> New: yes
>> State: installed
>> Automatically installed: no
>> Version: 0.2.2-1~bpo50+1
>
> Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'?

attention

0.3.1 is the current version , so 0.2.2 is 'up to date'
Reply | Threaded
Open this post in threaded view
|

Re: [OT] suitable webmail

Ralf Hildebrandt
* fakessh <[hidden email]>:

> > Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'?
>
> attention
>
> 0.3.1 is the current version , so 0.2.2 is 'up to date'

That's probably some sort of twisted Debian humor .)
Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

j debert
In reply to this post by mouss-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mouss さんは書きました:
>
> you mean things like
> GET /roundcube-0.2//bin/msgimport
> GET /round//bin/msgimport

Not lately.

Most recently, they're looking for version info:
    GET /rc/README
    GET /webmail/README
    GET /roundcube/README
    GET /rcube/README
        .
        .
        .
    GET /roundcubemail/README
    GET /roundcube/CHANGELOG
    etc.

and not so recently:
    GET /webmail/program/js/list.js
    GET /roundcube/program/js/list.js
    etc.

Some of the same IPs also probe port 25, connecting then disconnecting
w/o talking to the server. I don't think they like Postfix.

==
jd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFLZ1bChpL3F+HeDrIRAkCAAJ9HG9o4eI04VGV7lZF8Wp1kuN/MiACgg0qB
+W64ICtOaIlcIovhHAre/ds=
=hkCP
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: suitable webmail

@lbutlr
In reply to this post by Stan Hoeppner
On 1-Feb-2010, at 13:39, Stan Hoeppner wrote:

>
> Carlos Williams put forth on 2/1/2010 10:04 AM:
>
>> I recommend and prefer Roundcube.
>>
>> http://roundcube.net/
>
> +1
>
> If you're going to offer webmail, you may as well offer IMAP folders instead of POP.  JMHO.

Yeah, I have to say I don't even understand how webmail+POP3 makes any sense at all.

> I'm an ex Squirrelmail user and switched to Roundcube, mainly for the nicer user interface.

I ran a tesbed of Roundcube for my users and while the interface is *much* nucer than SquirrelMail, it has proven to be extremely flakey at a massive memory hog. Maybe things have improved with the 0.3.x version, but I finally had to dump it because it kept causing PHP and Apache to throttle.

> Other than Roundcube, for a really nice modern AJAX interface, take a look at SOGo.  The thing that really impresses me is the right click context menus like those available in Thunderbird or other GUI mail clients.

Thanks for that, I'll take a look at it.

--
And now, the rest of the story


Reply | Threaded
Open this post in threaded view
|

Re: [OT] suitable webmail

Stan Hoeppner
In reply to this post by Charles Marcus
Charles Marcus put forth on 2/1/2010 4:17 PM:

> On 2010-02-01 4:05 PM, Stan Hoeppner wrote:
>> My Roundcube package is currently up to date, and it is a standard
>> Debian package:
>>
>> [02:21:52][root@greer]/$ aptitude show roundcube
>> Package: roundcube
>> New: yes
>> State: installed
>> Automatically installed: no
>> Version: 0.2.2-1~bpo50+1
>
> Eh? 0.3.1 is the current version, so how is 0.2.2 'up to date'?

The current discussion relates to keeping security patches current.

http://www.debian.org/security/

All security flaw related new code is back ported and stable versions patched.
You seem to be of the mistaken impression that one must have the latest 'release
version' of a software package to have the latest security patches.  This is not
true of any *nix distro or Windows for that matter.  Heck, M$ is still sending
out security patches via automatic updates to Windows 2000 machines (until June
10 apparently).

If there is a security flaw identified in the version of Roundcube I'm running
(or any package), at some point a patched version will be made available in the
security repository.  Automated or manual upgrades via apt or aptitude will pull
down the patched package and install it.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: [OT] suitable webmail

Stan Hoeppner
In reply to this post by Ralf Hildebrandt
Ralf Hildebrandt put forth on 2/1/2010 4:31 PM:

> That's probably some sort of twisted Debian humor .)

I wish it was humor...  Debian Stable always lags pretty seriously behind the
cutting edge release versions of a lot of packages.  Then again, from what I
understand, so do RHEL, CentOS, SLES, and some others.  This seems indicative of
"Stable" or "Enterprise" releases.  The "stability" vs "features" argument, I
assume.

When testing is pushed to stable (not sure of the target date), I'll end up with
Roundcube 3.1 after upgrading.

All of that said, I don't find I'm lacking any functionality with my current
version of Roundcube.

--
Stan
123