SMTP..POP..IMAP (Vulernablilty) Certificate Error

[M0HX]

Hello dear Sentora support <3

Firstly I'd like to say thank you for this awesome platform that i will be using and supporting for my website!

I have successfully installed latest version of Sentora on my VPS (Centos7) and everything works great! I also setup my Letsencrypt certificates for CP and the domain. 

Now last thing todo is to fix this vulerntability that i found.

When someone tries to access the SMTP server or POP that i sat in Cloudflare pointing to my VPS ip (I use cloudflare as DNS manager), It exposes my VPS Info (user/IP)

check it out here for example: https://smtp.domain.com/ 

it shows certificate error,, but when you press continue and get the forbidden page. and try to view the certificate it actually shows my VPS IP! and username.

I don't want it to return anything when they visit these records! SMTP,POP .. etc

see for example google and other websites.. when you try to do the same thing:
https://smtp.gmail.com/

it gives u error (took so long to respond..etc..) nothing shows up! thats exactly how i want it to be.

I'm not sure where exactly is this problem coming from, but i don't want to install SSL certificates for each SMTP..Imap..pop..etc.. it just doesnt make sense todo imo.

I'm sure there's a way to fix it but i really don't know.. it could be something in (main.cf) file in the (/etc/postfix).. or master.cf

I really don't know how.. I searched everywhere..
EDIT: I temporarly redirected the (smtp.domain.com) not the HTTPS url to my main website just a temp fix.. using the /etc/sentora/configs/apache/httpd.conf  file

I put these redirections but only the http one works:

Code:

#Default

entry for any undefined domain or direct IP access
<VirtualHost *:80>
       Redirect / http://domain.com/
</VirtualHost>

#Default

entry for any undefined domain or direct IP access
<VirtualHost *:443>
       Redirect / http://domain.com/
</VirtualHost>

I wonder how to fix this issue im no expert at these stuff but i know somethings. so im not compelely noob lol. 

Again thank you so much for the great support. Nd ill be posting some tutorials soon on my website when im done!

<3

- M0HX

[Me.B]

Hi,

Seem you are not understand it quite weel.

1. Your ip will be shown and public for all mail traffic as cloudflare don't relay such protocols. So unless you use smtp gateway you will need to expose your server.

2. SSL setup have nothing to do with SMTP so each will need different setup if you want to enable TLS.

3. If you want a valid SSL certificate check let's encrypt.

M B

[M0HX]

Hi,

Seem you are not understand it quite weel.

1. Your ip will be shown and public for all mail traffic as cloudflare don't relay such protocols. So unless you use smtp gateway you will need to expose your server.

2. SSL setup have nothing to do with SMTP so each will need different setup if you want to enable TLS.

3. If you want a valid SSL certificate check let's encrypt.

M B

Hey again.. sorry but i dont think you understand my problem correctly.


1. I know and i dont mind my vps ip showing for pinging smtp.domain.com.. its alright. The problem is when u try to access (https://smtp.domain.com/) and view the invalid certificate.
please try to do that and ull see what i mean. it doesnt show only the ip. but also the username/userlogin.

2. I already have TLS enabled for mailing encrypted mails. everything is great. i use letsencrypt.

See smtp.gmail.com.  it doesnt load or return to a page or a certificate error.
Thats how i want my website to be. I dont know why it tires to search for certificate.

Thank you again :c nd pls help.

[Me.B]

The https certificate in https url is indeed broken as it's links to vps on OVH with that name.

You need to generate using let's encrypt one with that exact matching sub domain.

Check the certificate infos on chrome ( open developper tools then SSL ).

M B

[M0HX]

The https certificate in https url is indeed broken as it's links to vps on OVH with that name.

You need to generate using let's encrypt one with that exact matching sub domain.

Check the certificate infos on chrome ( open developper tools then SSL ).

M B

but it doesn't make sense to make SSL certificates for all and each of the Records:
pop.website.com
smtp.website.com
imap.website.com

As they are not actually a subdomains! theyr just pointers to the vps ip to let them be used to send mails and stuff i guess.

Again if you can read from the first post i explained everything. Why can't i just disable URL access to those (smtp.website.com..etc) records? just like https://smtp.gmail.com/ ??

Is there a way to fix this? Like smtp.gmail.com | it doesnt have url access nor certificate is beeing checked. 

Thanks again

[TGates]

First you need to sort out your DNS. Technically, when you enter a non-subdomain (like smtp.domain.com or mail.domain.com) you should see your panel login page by default. (This can be change once your DNS is sorted out.)

[M0HX]

First you need to sort out your DNS. Technically, when you enter a non-subdomain (like smtp.domain.com or mail.domain.com) you should see your panel login page by default. (This can be change once your DNS is sorted out.)

What does sorting out my DNS mean ? or how should i be able to fix this ? pls gimme a hint to start fixing and looking on where is the problem exactly. I'm clueless rn

Thanks for your reply!

---

EDIT: I think i got it but I'm not sure where to fix tbh.. I'm sure its in one of these files:
in (/etc/sentora/configs/apache/)

theses are my settings rn:
(I have two valid certificates.. one for the main domain. and one for cp.domain.com) 

httpd.conf

Code:

# Sentora Apache Include file
# Written by Bobby Allen, 15/05/2011

# Set the Sentora Alias (used for development, sable will eventually use a VHOST)

#Alias

/Sentora /etc/sentora/panel

# Set a default server name for the master configuration to supress Apache daemon warnings
ServerName localhost

# Setup the directory settings and PHP security flags for the Sentora application directory.
<Directory /etc/sentora/panel>
    Options +FollowSymLinks
    DirectoryIndex index.php
    <IfModule mod_php5.c>
        AddType application/x-httpd-php .php
        php_flag magic_quotes_gpc Off
        php_flag track_vars On
        php_flag register_globals Off
        php_admin_value upload_tmp_dir /var/sentora/temp
    </IfModule>
</Directory>

# Disallow web access to directories that don't need it/that we don't want people looking in!
<Directory /etc/sentora/panel/cnf/>
    Require all denied 
</Directory>
<Directory /etc/sentora/panel/modules/*/hooks>
    Require all denied 
</Directory>

# Set server tokens
ServerTokens Prod

#Default

entry for any undefined domain or direct IP access
<VirtualHost *:80>
        Redirect / http://domain.com/
</VirtualHost>

#Default

entry for any undefined domain or direct IP access
<VirtualHost *:443>
        Redirect / http://domain.com/
</VirtualHost>

# Now we include the generic VHOST configuration file that holds all Sentora user hosted vhost data
Include /etc/sentora/configs/apache/httpd-vhosts.conf
Include /etc/sentora/configs/apache/httpd-ssl-vhosts.conf

httpd-vhosts.conf

Code:

################################################################
# Apache VHOST configuration file
# Automatically generated by Sentora 1.0.3
# Generated on: 18:25 7th Jun 2017 +03
#==== YOU MUST NOT EDIT THIS FILE : IT WILL BE OVERWRITTEN ====
# Use Sentora Menu -> Admin -> Module Admin -> Apache config
################################################################

Listen 80

# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName cp.domain.com
ErrorLog "/var/sentora/logs/sentora-error.log" 
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)

</VirtualHost>

################################################################
# Sentora generated VHOST configurations below.....
################################################################

# DOMAIN: domain.com
<virtualhost *:80>
ServerName domain.com
ServerAlias  www.domain.com
ServerAdmin zadmin@localhost
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/domain.com-error.log" 
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/">
  Options +FollowSymLinks -Indexes
  AllowOverride All
  Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

</virtualhost>
# END DOMAIN: domain.com
################################################################

httpd-ssl-vhosts.conf

Code:

################################################################
# Apache VHOST configuration file for https to work!
################################################################

# ports to listen (only required ones):
Listen 443

##################################################
# Configuration for Sentora control panel | cp.domain.com | SSL
<virtualhost *:443>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName cp.domain.com
ErrorLog "/var/sentora/logs/sentora-error.log" 
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)
SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /etc/letsencrypt/live/cp.domain.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/cp.domain.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/cp.domain.com/chain.pem

# Keeping bellow for future upgrades.

# Requires Apache >= 2.4

SSLCompression off
</VirtualHost>
##################################################


################################################################
# Configuration for domain | domain.com | SSL


# DOMAIN: domain.com
<virtualhost *:443>
ServerName domain.com
ServerAlias  www.domain.com
ServerAdmin zadmin@localhost
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/domain.com-error.log" 
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/">
  Options +FollowSymLinks -Indexes
  AllowOverride All
  Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)
SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem

# Keeping bellow for future upgrades.

# Requires Apache >= 2.4

SSLCompression off
</virtualhost>
# END DOMAIN: domain.com
################################################################

which code should i change or fix? to fix this :c ? Thanks in advance.

[TGates]

You could try moving:

Code:

#Default

entry for any undefined domain or direct IP access
<VirtualHost *:443>
       Redirect / http://darkz0ne.net/
</VirtualHost>

to your httpd-ssl-vhosts.conf right after the 'Listen 443' and restart apache.

Just my suggestion for Let's Encrypt SSLs (and for any others TBH):
For a much easier way that utilizes Sentora's internal functions instead of doing the .conf files manually is to use these let's encrypt tutorials:
Sentora login: http://docs.sentora.org/?node=102
Any other domains: http://docs.sentora.org/?node=103
Now, all of your regular vhost AND SSL vhost entries are in ONE file and stored in the DB as a 'backup'.

[M0HX]

You could try moving:

Code:

#Default

entry for any undefined domain or direct IP access
<VirtualHost *:443>
       Redirect / http://domain.com/
</VirtualHost>

to your httpd-ssl-vhosts.conf right after the 'Listen 443' and restart apache.

I tried that.. It still doesn't work. The problem is not with redirection. I tried many things actually redirections with virtualhost and setting to different paths and domains .. nop nothing works.

Just my suggestion for Let's Encrypt SSLs (and for any others TBH):
For a much easier way that utilizes Sentora's internal functions instead of doing the .conf files manually is to use these let's encrypt tutorials:
Sentora login: http://docs.sentora.org/?node=102
Any other domains: http://docs.sentora.org/?node=103
Now, all of your regular vhost AND SSL vhost entries are in ONE file and stored in the DB as a 'backup'.

^ I tried those too.. actually it didn't make any difference at all. because i was making
<VirtualHost *:80> in the httpd-vhosts.conf  (automatically from sentora settings)
and 
<VirtualHost *:443> in httpd-ssl-vhosts.conf  with the same certificates and stuff. Its much better imo.


It always says certificate error (invalid). 

These are the current records i want to fix: 
https://ftp.domain.com/
https://pop.domain.com/
https://imap.domain.com/
https://smtp.domain.com/
https://mail.domain.com/

Why isn't just as simple as not responding like (https://smtp.gmail.com)..  or just blocking access for all these domains.. is there a way? In hosts file or something ? pls halp. thx

[M0HX]

guys i still need help. if anyone can help me it would be much appreciated! :c