Vulnerabilities of Kolab 3.4

[Lance Charette]

Johannes,

Thank you for the response and heads up regarding DKIM.  I will look to 
incorporate that into our server right away.

I am aware of a man in the middle harvest of email information as well 
as the spoofing of email addresses.  We do employ SPF safe guards to 
combat emails not sent from our servers but are using our email 
addresses.  I typically get 'copies' of these emails when users are 
alerting me of it which does not include the header file so I can 
determine the route taken by the email.  We have sent out instructions 
to all users so that they can include the header when copying the emails 
to me.

Like you, I'm kind of surprised no one has jumped on this yet given 
concern for security within the Kolab environment.  I have to believe 
other Kolab users have experienced something similar.  It would be nice 
to have some confirmation as to how 'hardened' the Kolab environment 
is.  With all the 3rd party pieces pulled into one product it's 
difficult to determine what module is adding what to the mix 
particularly given I can find no block diagram of sorts that shows how 
they all fit together in the puzzle.  That would be of tremendous 
benefit for those of us who are tasked with administering this environment.

Thanks again Johannes and take care,

Homer Dokes

On 4/29/2019 10:17 AM, Johannes Ranke wrote:
> Homer,
>
> I was hoping someone more knowledgeable would reply. As this is not the case
> so far, I'll give my best (which is not very much I am afraid):
>
> a) The content of emails (e-mail addresses of real contacts, as well as
> message contact) will generally travel unencrypted and can therefore
> potentially be harvested if systems along the way are compromised. Therefore,
> if you find e-mail contents in spam messages, this may mean that your server is
> compromised, but not necessarily so.
>
> b) In addition, e-mail addresses can be spoofed, i.e. an e-mail can have a
> sender address in the From: header that is not in the domain of the server
> from which it is sent.
>
> I have personally experienced: a) The name of a person that I have
> corresponded with used as "Real name" in a spam message (like Real Name
> <something.cryptic at xyz.org>), but no other contents of a legitimate e-mail in
> spam and b) e-mail addresses that are in use on my kolab domain occuring in
> the From: header of Spam messages that I received.
>
> In order to avoid b), I have started to use DKIM to sign messages originating
> from my kolab server, so receivers (including myself) can check if a message
> was signed on my server. I am still receiving spoofed messages, but they do
> not contain any DKIM signature. Therefore I assume that my server is OK.
>
> Kind regards,
>
> Johannes
>
>
>
> Am Donnerstag, 25. April 2019, 12:40:13 CEST schrieb Homer Dokes:
>> Greetings all,
>>
>> Recently we have been experiencing a tremendous number of spam/malware
>> emails with origination addresses from our own Kolab server members.
>> Our Kolab server sits behind a firewall allowing only ports 587, 25,
>> 8585 (for the gui interface) and 993 for through traffic.
>>
>> What kind of vulnerabilities, if any, exist for a would be attacker to
>> extract email information from the server under these conditions.  In a
>> few instances we have actually had 'threaded' email exchanges shown in
>> the body of the malware email making it look legit.  What is accessible
>> on the Kolab server that would allow anyone to retrieve that information
>> through those ports? Our concern is that the damage is already done and
>> we are compromised.
>>
>> Thank you,
>>
>> hdokes
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
>