Merge branch 'release/1.2.7'

CHANGELOG.md

@@ -1,7 +1,33 @@
+1.2.7
+-----------
+Security
+- More restricted access to library and public available files (#990)
+- Fix email blacklist bypass when an email with more than 2 normal recipient is processed (#255, #992)
+
+Improvements
+- Add check for path of postconf, exim and sendmail executables in sf_version.php (#948)
+- Enable use of '&' in username (#964)
+- Add f-prot 6 virus scanner support
+- Enlarge localhost ip detection to full 127.0.0.0/8 class
+- Add IMAP auth support (#961)
+- Better support for Hebrew charset
+- Add Japanese language translation
+- Updated translations
+- Some code refactoring
+
+Fixes
+- Uniform use of IMAGES_DIR as a relative path instead of an absolute path (#944)
+- Fix admins editing domain admins
+- Fix LDAP sAMAccountname not being used for login (#955)
+- Fix domain admins not being able to change own password
+- Fix ONLY_FULL_GROUP_BY MySQL error (#733)
+- Fix UTF8 headers in viewmail
+- Update sudoers file to use mailq to match conf.php.example
+
 1.2.6
 -----------
 Security
-- Restrict domain admin permission so that they can only modify/create/delete regular users.  Also, emails must be used for all non-admin accounts (#940)
+- Restrict domain admin permission so that they can only modify/create/delete regular users. Also, emails must be used for all non-admin accounts (#940)
 
 Improvements
 - Add entries counter on white and black list (#509)

MailScanner_perl_scripts/SQLBlackWhiteList.pm

@@ -199,7 +199,7 @@ sub LookupList {
     return 0 unless $message; # Sanity check the input
 
     # Find the "from" address and the first "to" address
-    my ($from, $fromdomain, @todomain, $todomain, @to, $to, $ip, $ip1, $ip1c, $ip2, $ip2c, $ip3, $ip3c, $subdom, $i, @keys, @subdomains);
+    my ($from, $fromdomain, $toAdd, $todomainAdd, @todomain, $todomain, @to, $to, $ip, $ip1, $ip1c, $ip2, $ip2c, $ip3, $ip3c, $subdom, $i, @keys, @subdomains);
     $from = $message->{from};
     $fromdomain = $message->{fromdomain};
     # Create a array of subdomains for subdomain and tld wildcard matching
@@ -210,10 +210,16 @@ sub LookupList {
         $subdom = $1;
         push (@subdomains, "*.".$subdom);
     }
+
+    @keys = ('default');
     @todomain = @{$message->{todomain}};
-    $todomain = $todomain[0];
     @to = @{$message->{to}};
-    $to = $to[0];
+    foreach $toAdd (@to) {
+        push (@keys, $toAdd);
+    }
+    foreach $todomainAdd (@todomain) {
+        push (@keys, $todomainAdd);
+    }
     $ip = $message->{clientip};
 
     # Match on leading 3, 2, or 1 octets
@@ -232,8 +238,6 @@ sub LookupList {
     # the IP address is listed,
     # the first 3, 2, or 1 octets of the ipaddress are listed with or without a trailing dot
     # or a subdomain match of the form *.subdomain.example.com is listed
-
-    @keys = ($to, $todomain, 'default');
     foreach (@keys) {
         $i = $_;
         return 1 if $BlackWhite->{$i}{$from};
@@ -246,12 +250,11 @@ sub LookupList {
         return 1 if $BlackWhite->{$i}{$ip2c};
         return 1 if $BlackWhite->{$i}{$ip1};
         return 1 if $BlackWhite->{$i}{$ip1c};
+        return 1 if $BlackWhite->{$i}{'default'};
         foreach (@subdomains) {
             return 1 if $BlackWhite->{$i}{$_};
         }
     }
-    return 1 if $BlackWhite->{$to}{'default'};
-    return 1 if $BlackWhite->{$todomain}{'default'};
 
     # It is not in the list
     return 0;

create.sql

@@ -109,7 +109,7 @@ CREATE TABLE IF NOT EXISTS `maillog` (
   `sascore` decimal(7,2) DEFAULT '0.00',
   `spamreport` mediumtext COLLATE utf8_unicode_ci,
   `virusinfected` tinyint(1) DEFAULT '0',
-  `nameinfected` tinyint(1) DEFAULT '0',
+  `nameinfected` tinyint(2) DEFAULT '0',
   `otherinfected` tinyint(1) DEFAULT '0',
   `report` mediumtext COLLATE utf8_unicode_ci,
   `ismcp` tinyint(1) DEFAULT '0',
@@ -251,6 +251,7 @@ CREATE TABLE IF NOT EXISTS `sa_rules` (
 --
 
 CREATE TABLE IF NOT EXISTS `users` (
+  `id` BIGINT NOT NULL AUTO_INCREMENT UNIQUE KEY,
   `username` varchar(191) COLLATE utf8_unicode_ci NOT NULL DEFAULT '',
   `password` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
   `fullname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '',

mailscanner/.htaccess

@@ -0,0 +1 @@
+Options -Indexes

mailscanner/auto-release.php

@@ -97,7 +97,7 @@
 </head>
 <body class="autorelease">
 <div class="autorelease">
-    <img src="' . MAILWATCH_HOSTURL . IMAGES_DIR . MW_LOGO . '" alt="' . __('mwlogo99') . '">
+    <img src=".' . IMAGES_DIR . MW_LOGO . '" alt="' . __('mwlogo99') . '">
     <div class="border-rounded">
         <h1>' . __('title59') . '</h1>' . "\n";
     foreach ($output as $msg) {

mailscanner/checklogin.php

@@ -46,7 +46,7 @@
         header('Location: login.php?error=baduser');
         die();
     }
-    $myusername = $_POST['myusername'];
+    $myusername = html_entity_decode($_POST['myusername']);
     $mypassword = $_POST['mypassword'];
 }
 
@@ -55,10 +55,19 @@
     (($result = ldap_authenticate($myusername, $mypassword)) !== null)
 ) {
     $_SESSION['user_ldap'] = true;
+    $myusername = safe_value($result);
+    $mypassword = safe_value($mypassword);
+} elseif (
+    defined('USE_IMAP') &&
+    (USE_IMAP === true) &&
+    (($result = imap_authenticate($myusername, $mypassword)) !== null)
+) {
+    $_SESSION['user_imap'] = true;
     $myusername = safe_value($myusername);
     $mypassword = safe_value($mypassword);
 } else {
     $_SESSION['user_ldap'] = false;
+    $_SESSION['user_imap'] = false;
     if ($mypassword !== '') {
         $myusername = safe_value($myusername);
         $mypassword = safe_value($mypassword);
@@ -80,7 +89,10 @@
     die();
 }
 
-if ($_SESSION['user_ldap'] === false) {
+if (
+    ($_SESSION['user_ldap'] === false) &&
+    ($_SESSION['user_imap'] === false)
+) {
     $passwordInDb = database::mysqli_result($result, 0, 'password');
     if (!password_verify($mypassword, $passwordInDb)) {
         if (!hash_equals(md5($mypassword), $passwordInDb)) {

mailscanner/conf.php.example

@@ -32,12 +32,12 @@
 // Debug messages
 define('DEBUG', false);
 
-// Define language (de, en, fr, it, nl, pt_br);
+// Define language (de, en, fr, it, ja, nl, pt_br);
 define('LANG', 'en');
 
 // Optional: If USER_SELECTABLE_LANG is defined and the value contains more than one language then the user gets a dropdown 
 // in the gui to change the language of his browser. The selectable languages are defined as a comma separated list.
-define('USER_SELECTABLE_LANG', 'de,en,fr,it,nl,pt_br');
+define('USER_SELECTABLE_LANG', 'de,en,fr,it,ja,nl,pt_br');
 
 // Session Handling - conflicts can exist when the your environment makes use of multiple php sessions on the same server
 // to resolve this, uncomment the following option.  See https://github.com/mailwatch/MailWatch/issues/730 for more info
@@ -65,7 +65,6 @@ define('DB_DSN', DB_TYPE . '://' . DB_USER . ':' . DB_PASS . '@' . DB_HOST . '/'
 
 // LDAP settings for authentication
 define('USE_LDAP', false);
-define('LDAP_SSL', false); // Set to true if using LDAP with SSL encryption.
 define('LDAP_HOST', 'server.example.com');
 define('LDAP_PORT', '389');
 define('LDAP_DN', 'DC=example,DC=com');
@@ -83,6 +82,11 @@ define('LDAP_USERNAME_FIELD', 'cn');
 // Microsoft Active Directory compatibility support for searches from Domain Base DN
 define('LDAP_MS_AD_COMPATIBILITY', true);
 
+// IMAP settings for authentication
+define('USE_IMAP', false);
+define('IMAP_HOST', '{imap.example.com:993/imap/ssl}'); //for parameters check http://php.net/manual/en/function.imap-open.php
+define('IMAP_AUTOCREATE_VALID_USER', false); // Set to true to autocerate a valid IMAP user in MailWatch database after sucessful login
+
 // Set Time Zone
 // See http://php.net/manual/en/timezones.php for a list of usable timezones.
 define('TIME_ZONE', 'America/New_York');

mailscanner/functions.php

@@ -194,6 +194,9 @@ function getVirusRegex($scanner = null)
             case 'f-prot':
                 $regex = '/(.+) Infection: (\S+)/';
                 break;
+            case 'f-prot-6':
+                $regex = '/(.+) Infection: (\S+)/';
+                break;
             case 'f-protd-6':
                 $regex = '/(.+) Infection: (\S+)/';
                 break;
@@ -248,7 +251,7 @@ function getVirusRegex($scanner = null)
  */
 function mailwatch_version()
 {
-    return '1.2.6';
+    return '1.2.7';
 }
 
 /**
@@ -362,7 +365,7 @@ function html_start($title, $refresh = 0, $cacheable = true, $report = false)
     echo '<td>' . "\n";
     echo '<table border="0" cellpadding="0" cellspacing="0">' . "\n";
     echo '<tr>' . "\n";
-    echo '<td align="left"><a href="index.php" class="logo"><img src="' . MAILWATCH_HOSTURL . IMAGES_DIR . MW_LOGO . '" alt="' . __('mailwatchtitle03') . '"></a></td>' . "\n";
+    echo '<td align="left"><a href="index.php" class="logo"><img src=".' . IMAGES_DIR . MW_LOGO . '" alt="' . __('mailwatchtitle03') . '"></a></td>' . "\n";
     echo '</tr>' . "\n";
     echo '<tr>' . "\n";
     echo '<td valign="bottom" align="left" class="jump">' . "\n";
@@ -1491,7 +1494,7 @@ function formatSize($size, $precision = 2)
     if ($size === null) {
         return 'n/a';
     }
-    if ($size === 0) {
+    if ($size === 0 || $size === '0') {
         return '0';
     }
     $base = log($size) / log(1024);
@@ -3145,6 +3148,47 @@ function ldap_get_conf_truefalse($entry)
     }
 }
 
+/**
+ * @param string $username
+ * @param string $password
+ * @return null|string
+ */
+function imap_authenticate($username, $password)
+{
+    $username = strtolower($username);
+
+    if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
+        //user has no mail but it is required for mailwatch
+        return null;
+    }
+
+    if ($username !== '' && $password !== '') {
+        $mbox = imap_open(IMAP_HOST, $username, $password, null, 0);
+
+        if (false === $mbox) {
+            //auth faild
+            return null;
+        }
+
+        if (defined('IMAP_AUTOCREATE_VALID_USER') && IMAP_AUTOCREATE_VALID_USER === true) {
+            $sql = sprintf('SELECT username FROM users WHERE username = %s', quote_smart($username));
+            $sth = dbquery($sql);
+            if ($sth->num_rows === 0) {
+                $sql = sprintf(
+                    "REPLACE INTO users (username, fullname, type, password) VALUES (%s, %s,'U',NULL)",
+                    quote_smart($username),
+                    quote_smart($password)
+                );
+                dbquery($sql);
+            }
+        }
+
+        return $username;
+    }
+
+    return null;
+}
+
 /**
  * @param $name
  * @return string
@@ -4050,7 +4094,6 @@ function checkConfVariables()
         'LDAP_PASS',
         'LDAP_PORT',
         'LDAP_PROTOCOL_VERSION',
-        'LDAP_SSL',
         'LDAP_USER',
         'LDAP_USERNAME_FIELD',
         'LISTS',
@@ -4118,6 +4161,7 @@ function checkConfVariables()
         'QUARANTINE_FROM_ADDR',
         'QUARANTINE_REPORT_HOSTURL',
         'CACHE_DIR',
+        'LDAP_SSL',
         'TTF_DIR',
     );
 
@@ -4137,12 +4181,15 @@ function checkConfVariables()
         'SESSION_NAME' => array('description' => 'needed if experiencing session conflicts'),
         'SENDMAIL_QUEUE_IN' => array('description' => 'needed only if using Sendmail as MTA'),
         'SENDMAIL_QUEUE_OUT' => array('description' => 'needed only if using Sendmail as MTA'),
-        'USER_SELECTABLE_LANG' => array('description' => 'comma separated list of codes for languages the users can use eg. "de,en,fr,it,nl,pt_br"'),
+        'USER_SELECTABLE_LANG' => array('description' => 'comma separated list of codes for languages the users can use eg. "de,en,fr,it,ja,nl,pt_br"'),
         'MAILWATCH_SMTP_HOSTNAME' => array('description' => 'needed only if you use a remote SMTP server to send MailWatch emails'),
         'SESSION_TIMEOUT' => array('description' => 'needed if you want to override the default session timeout'),
         'STATUSGRAPH_INTERVAL' => array('description' => 'to change the interval of the status chart (default 60 minutes)'),
         'ALLOW_NO_USER_DOMAIN' => array('description' => 'allow usernames not in mail format for domain admins and regular users'),
         'ENABLE_SUPER_DOMAIN_ADMINS' => array('description' => 'allows domain admins to change domain admins from the same domain'),
+        'USE_IMAP' => array('description' => 'use IMAP for user authentication'),
+        'IMAP_HOST' => array('description' => 'IMAP host to be used for user authentication'),
+        'IMAP_AUTOCREATE_VALID_USER' => array('description' => 'enable to autorcreate user from valid imap login')
     );
 
     $results = array();
@@ -4287,7 +4334,7 @@ function ip_in_range($ip, $net = false, $privateLocal = false)
 
     if ($privateLocal === 'local') {
         $localIPSet = new \IPSet\IPSet(array(
-            '127.0.0.1',
+            '127.0.0.0/8',
             '::1',
         ));
 
@@ -4364,7 +4411,7 @@ function validateInput($input, $type)
             }
             break;
         case 'user':
-            if (preg_match('/^[\p{L}\p{M}\p{N}~!@$%^*=_:.\/+-]{1,256}$/u', $input)) {
+            if (preg_match('/^[\p{L}\p{M}\p{N}\&~!@$%^*=_:.\/+-]{1,256}$/u', $input)) {
                 return true;
             }
             break;
@@ -4770,7 +4817,12 @@ function getVirus($report)
     } else {
         $scanners = explode(' ', get_conf_var('VirusScanners'));
         foreach ($scanners as $scanner) {
-            if (preg_match(getVirusRegex($scanner), $report, $match) === 1) {
+            $scannerRegex = getVirusRegex($scanner);
+            if ($scannerRegex === null || $scannerRegex === "") {
+                error_log("Could not find regex for virus scanner " . $scanner);
+                continue;
+            }
+            if (preg_match($scannerRegex, $report, $match) === 1) {
                 break;
             }
         }

mailscanner/graphgenerator.inc.php

@@ -62,8 +62,8 @@ public function printPieGraph()
         $chartId = (isset($this->settings['chartId']) ? $this->settings['chartId'] : 'reportGraph');
         //create canvas graph
         echo '<canvas id="' . $chartId . '" class="reportGraph"></canvas>
-      <script src="lib/Chart.js/Chart.min.js"></script>
-      <script src="lib/pieConfig.js"></script>
+      <script src="js/Chart.js/Chart.min.js"></script>
+      <script src="js/pieConfig.js"></script>
       <script>
         COLON = "' . __('colon99') . '";
         printPieGraph("' . $chartId .'", {
@@ -127,8 +127,8 @@ public function printLineGraph()
         }
         $chartId = (isset($this->settings['chartId']) ? $this->settings['chartId'] : 'reportGraph');
         echo '<canvas id="' . $chartId . '" class="lineGraph"></canvas>
-      <script src="lib/Chart.js/Chart.bundle.min.js"></script>
-      <script src="lib/lineConfig.js"></script>
+      <script src="js/Chart.js/Chart.bundle.min.js"></script>
+      <script src="js/lineConfig.js"></script>
       <script>
         COLON = "' . __('colon99') . '";
         printLineGraph("' . $chartId . '",  {

mailscanner/js/Chart.js/.htaccess

@@ -0,0 +1,8 @@
+<Files "UPGRADE_NOTICE">
+  #for apache 2.4
+  Require all denied
+
+  #for apache 2.2
+#  Order Allow,Deny
+#  Deny from all
+</Files>