Afterlogic WebMail on CyberPanel – with password change

For some time now, we strive to make our webmail products better integrated with various hosting control panels. We provide automated installers for cPanel, DirectAdmin and Plesk – and popular features such as password change and user signup are available there. On other control panels, it should be possible to install webmail just like you install any other PHP applications – but even in such cases, features like signup or password change are worth implementing.

This week we’ve been exploring CyberPanel, free opensource control panel software. Installing WebMail Pro there was a breeze, simply unpacking the product package into a website directory, supplying credenials of a database we’ve just created, et voilà. We were going to research how it all works internally and create a password change module – just like we recently did for FastPanel – but it turned out there’s no need for that. Passwords are stored in database as hashes, and we already have a module which can be used for that: Password change in mail server database.

We’ve downloaded a module and unzipped it into modules directory, ChangePasswordInMailServerDatabasePlugin subdirectory, then edited Module.php file replacing these two lines:

$sPasshash = exec("doveadm pw -s 'ssha512' -p '" . $sPassword . "'");
$sql = "UPDATE mailbox SET password='" . $sPasshash . "' WHERE username='" . $oAccount->IncomingLogin . "'";

with the following code:

$sEmail = $oAccount->IncomingLogin;
[$sUsername, $sDomain] = explode("@", $sEmail);
$sPasshash = '{CRYPT}'.password_hash($sPassword, PASSWORD_BCRYPT, ['cost' => 12,]);
$sql = "UPDATE e_users SET password = '" . $sPasshash . "' WHERE emailOwner_id = '" . $sDomain . "' AND email = '" . $sEmail . "'";

To configure the module, the first thing to do is press “Update configuration” button in Database Settings screen of adminpanel. Once that’s done, ChangePasswordInMailServerDatabasePlugin.config.json file will appear under data/settings/modules directory.

In that file, we’ll need to specify credentials of the database used by CyberPanel, it’s called “cyberpanel”, username is “root”. As for the root password, you can find it in /etc/cyberpanel/mysqlPassword file; with newer versions of CyberPanel, you can also check /root/.my.cnf file.

One last thing to do is set Disabled to false in data/settings/modules/ChangePasswordWebclient.config.json configuration file. And there we go, now you have Afterlogic WebMail installed on CyberPanel, and your users can change their email account passwords.

One additional thing I’d mention is that CyberPanel run OpenLiteSpeed webserver, so data directory protection via .htaccess file won’t work there. The easiest solution is to move data directory out of public_html and create inc_settings_path.php file with the new location specified – check this documentation page for detailed info.

Docker images update for Afterlogic products

A few years ago, we have created Docker images for our WebMail Pro, Aurora Files and Aurora Corporate products. Sources were made available on GitHub. We’ve received really useful feedback about them, and have adopted some of the changes offered by the community.

Those images, however, were rather heavy as they used Ubuntu Linux, and all the components required for the product to work were bundled in, including MySQL. We have researched moving over to lightweight Alpine Linux, with Nginx used instead of Apache, and a few days ago we’ve released new versions of the images:

• Docker image for WebMail Pro
• Docker image for Aurora Files
• Docker image for Aurora Corporate

The biggest change is that we’re now using official MySQL image, and thus, docker compose needs to be used to make things work – that’s not complicated at all, just a couple of commands, see Readme file for the image. And it’s best to build images from GitHub, to ensure you’re using the latest version of the product.

But if, for whatever reason, you still require legacy images which use Apache and Ubuntu, we’ve just published those separately, with -legacy appended to the image names (example for Aurora Files / GitHub source).

Installing CentOS 8 Linux for running MailSuite Pro or Aurora Corporate

Currently, we provide installer packages for MailSuite Pro for Linux as well as all-in-one edition of Aurora Corporate. We support Ubuntu Linux 20.04 and CentOS Linux 8.

If you’re going to install a new instance of CentOS 8, that will most likely result in an error setting up base repository. That’s because CentOS 8 has reached end-of-life on January 31, 2022, CentOS team has disabled the official repositories for this version and moved them into a separate vault repository.

So you can still install this version, if you enable network in the installer, and specify https://vault.centos.org/8.5.2111/BaseOS/x86_64/os/ as a repository URL.

To use yum package manager, you’ll need to point the system to vault repository as well, that can be done by running the following commands:

sudo sed -i -e "s|mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-*
sudo sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-*

This solution is originally posted by Sergei in his blog. Please note that the system installed this way will not receive any updates. We’re now researching a better solution – either moving to CentOS Linux 7 or using some community repository of CentOS 8.

Message sorting in Afterlogic WebMail and Aurora Corporate

By default, Afterlogic WebMail and Aurora Corporate show newest mails first – however, it’s possible to sort mail messages differently, which includes reverse sort order.

Basic instructions for that can be found here. All you need to do is modify data/settings/modules/Mail.config.json file and set "MessagesSortBy" value as follows:

    "MessagesSortBy": [
        {
            "Allow": true,
            "List": [
                {
                    "SortBy": "arrival",
                    "LangConst": "LABEL_SORT_BY_DATE"
                },
                {
                    "SortBy": "from",
                    "LangConst": "LABEL_SORT_BY_FROM"
                },
                {
                    "SortBy": "to",
                    "LangConst": "LABEL_SORT_BY_TO"
                }
            ],
            "DefaultSortBy": "size",
            "DefaultSortOrder": "desc"
        },
        "array"
    ],

Once you do that, you’ll see a toolbar item added:

And now you can sort mail messages by those parameters, in ascending or descending order, "DefaultSortBy" and "DefaultSortOrder" define how the messages will be sorted by default.

Another popular request is sorting mail messages by their size. Assuming your IMAP server can do that, change "MessagesSortBy" value to:

    "MessagesSortBy": [
        {
            "Allow": true,
            "List": [
                {
                    "SortBy": "arrival",
                    "LangConst": "LABEL_SORT_BY_DATE"
                },
                {
                    "SortBy": "from",
                    "LangConst": "LABEL_SORT_BY_FROM"
                },
                {
                    "SortBy": "to",
                    "LangConst": "LABEL_SORT_BY_TO"
                },
                {
                    "SortBy": "size",
                    "LangConst": "LABEL_SORT_BY_SIZE"
                }
            ],
            "DefaultSortBy": "size",
            "DefaultSortOrder": "desc"
        },
        "array"
    ],

The button will now look like this:

OK, apparently we don’t have a text constant defined yet. Let’s change it. We need to edit language file under modules/MailWebclient/i18n directory, English.ini in this case. It should already have these lines:

LABEL_SORT_BY_DATE = "Date"
LABEL_SORT_BY_FROM = "Sender"
LABEL_SORT_BY_TO = "Receiver"

and we add one more:

LABEL_SORT_BY_SIZE = "Size"

To apply changes, purge data/cache/ directory content. Alternately, set "CacheLangs" to false in data/settings/config.json file so the translation files aren’t cached. If you followed the above steps, the button will now look like this:

Mailing lists issue in MailSuite Pro / Aurora MTA

We’ve found an issue with mailing lists in MailSuite Pro and MTA version of Aurora Corporate. Sometimes, mailing lists appeared as email accounts there.

To address the issue, locate Dovecot SQL configuration file. In current version 8, that’s /etc/dovecot/dovecot-sql.conf while in previous version that’s /opt/afterlogic/etc/dovecot/dovecot-sql.conf

In that file, locate the line that starts with:

user_query = 

And add AND awm_accounts.mailing_list = 0 before the final “;” character. For example:

user_query = SELECT DISTINCT LOWER(awm_accounts.email) as login, CONCAT('*:storage=', awm_accounts.mail_quota_kb) as quota_rule FROM (awm_accounts INNER JOIN awm_domains ON awm_accounts.id_domain = awm_domains.id_domain) WHERE (awm_accounts.email = CONCAT('%n', '@', '%d') OR awm_accounts.email = '%n') AND awm_domains.name = '%d' AND awm_accounts.deleted = 0 AND awm_accounts.mailing_list = 0;

In exactly the same way, adjust the line that starts with:

password_query = 

For example:

password_query = SELECT DISTINCT CONCAT('{SSHA256.hex}', awm_accounts.password) as password FROM awm_accounts INNER JOIN awm_domains ON awm_accounts.id_domain = awm_domains.id_domain WHERE (awm_accounts.email = CONCAT('%n', '@', '%d') OR awm_accounts.email = '%n') AND awm_domains.name = '%d' AND awm_accounts.deleted = 0 AND awm_accounts.mailing_list = 0;

Restart Dovecot to apply changes:

service dovecot restart
for current version 8;

/opt/afterlogic/etc/init.d/dovecot.rc restart
for previous version 7.

Please don’t hesitate to contact us if you require any assistance.

Nextcloud integration revised

For a while now, we’ve been offering Nextcloud integration app that lets you have Afterlogic WebMail used as a solid part of Nextcloud environment. You can specify WebMail installation URL, users supply their email/password in settings, and upon clicking “Afterlogic” icon they’re automatically logged into WebMail.

This worked like a charm, but all of a sudden, with Nextcloud update to v21.0.1, attempts to log into WebMail resulted in rather scary “Internal Server Error”. We were honestly puzzled by this error, and as far as we could tell, the error only occurred when trying to include PHP API library of WebMail.

Upon researching this further, we have decided that the best way to circumvent the problem is get rid of using PHP API altogether and switch to using Web API instead – WebMail itself uses it internally for pretty much all the requests.

We have just released v2.0.1 of Nextcloud connector. The bonus part is, those upgrading from previous versions will not have to reconfigure anything, it’ll work for them as expected – assuming they have Nextcloud and WebMail in the same domain. If you have them in different domains or even on different servers, POST authentication option is available for you.

The source code is available on GitHub, and we welcome your feedback there!

Office files viewer in Afterlogic WebMail and Aurora

To view files of office document formats such as .DOC or .XLSX, WebMail Pro and Aurora Corporate use an online viewer from Microsoft.

If you experience issues with viewing those files, you can try switching to a viewer from Google.

In data/settings/modules/OfficeDocumentViewer.config.json file, set ViewerUrl value as follows:

"ViewerUrl": [
    "https:\/\/docs.google.com\/gview?url=",
    "string"
]

Please note that in either case, your WebMail/Aurora installation needs to be accessible over the web, so that online viewer can have access to it.

We’re currently working on version 8.8 of WebMail Pro and Aurora Corporate. The new version will feature editing and viewing office documents with OnlyOffice Docs, so it will no longer be needed to rely on external document viewer. Stay tuned!

ClamAV antivirus update for v7 of MailSuite/Aurora

If you’re using version 7 of MailSuite Pro or Aurora (MTA package), you may run into an issue when updating ClamAV databases with freshclam tool. In such case, ClamAV needs to be updated.

The process should take about 5 minutes. ClamAV needs to be stopped first (and while it’s stopped mails cannot be delivered):
/opt/afterlogic/etc/init.d/clamav.rc stop

Upgrading instructions are as follows:
cd /tmp
mkdir clamav-update && cd clamav-update
wget https://afterlogic.com/download/afterlogic-clamav-update.tar.bz2
wget https://afterlogic.com/download/afterlogic-clamav-backup.sh
chmod +x afterlogic-clamav-backup.sh
./afterlogic-clamav-backup.sh
tar jxvf afterlogic-clamav-update.tar.bz2 -C /opt/afterlogic/
/opt/afterlogic/bin/freshclam

If you’re getting a following error message:
/opt/afterlogic/bin/freshclam: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory

run the following commands:
yum install pcre2 -y
/opt/afterlogic/bin/freshclam

Start ClamAV:
/opt/afterlogic/etc/init.d/clamav.rc start

If you run into an issues while performing an upgrade, feel free to request assistance at https://s.afterlogic.com/helpdesk/

Addressing DAV-related vulnerability in WebMail and Aurora

One of our valued customers reported a vulnerability in our products, that potentially allows uploading and executing arbitrary files via built-in DAV server used in WebMail Pro and Aurora Corporate. We’re now releasing updates for our products closing this vulnerability, and strongly recommend to upgrade your installations to the latest version.

Below, you’ll find recommendations on how to address the issue on your existing installation of WebMail Pro or Aurora. Please note that while these changes were only tested with version 8.5.3, they should work for previous versions as well.

Before we proceed, we’d like to point out that disabling DAV access on the installation effectively closes the vulnerability, too. That’s done by setting Disabled to true in data/settings/modules/Dav.config.json file. Note that this will not affect the use of web interface or Aurora Mail / Aurora Files mobile apps as they work via API, not DAV. If you’d rather keep DAV enabled, please follow the below guidelines.

1. In vendor/afterlogic/dav/lib/DAVServer.php file, locate function exec() and replace its code with:

public function exec()
{
    $sRequestUri = empty($_SERVER['REQUEST_URI']) ? '' : \trim($_SERVER['REQUEST_URI']);

    if ($this->isModuleEnabled('Dav') && !strpos(urldecode($sRequestUri), '../'))
    {
        parent::exec();
    }
    else
    {
        echo 'Access denied';
    }
}

2. In vendor/afterlogic/dav/lib/DAV/Auth/Backend/Basic.php file, locate validateUserPass function and replace the line:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid())	

with:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid() && $sUserName !== \Afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \Afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

3. Similarly, in vendor/afterlogic/dav/lib/DAV/Auth/Backend/Digest.php file, locate getDigestHash function and replace the line:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid())

with:

if (class_exists('\\Aurora\\System\\Api') && \Aurora\System\Api::IsValid() && $sUserName !== \Afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \Afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

Since some of our clients still use previous v7 of WebMail and Aurora, we chose to issue a security update for those as well. Note that if you don’t use DAV, you can simply disable it by setting EnableMobileSync to Off in data/settings/settings.xml file.

1. In libraries/afterlogic/DAV/Server.php file, before the closing “}” add the following function:

public function exec()
{
    $sRequestUri = empty($_SERVER['REQUEST_URI']) ? '' : \trim($_SERVER['REQUEST_URI']);
    if (!strpos(urldecode($sRequestUri), '../'))
    {
        parent::exec();
    }
    else
    {
        echo 'Access denied';
    }
}

2. In libraries/afterlogic/DAV/Auth/Backend/Basic.php file, locate validateUserPass function and replace the line:

if (class_exists('CApi') && \CApi::IsValid())

with:

if (class_exists('CApi') && \CApi::IsValid() && $sUserName !== \afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

3. Similarly, in libraries/afterlogic/DAV/Auth/Backend/Digest.php file, locate getDigestHash function and replace the line:

if (class_exists('CApi') && \CApi::IsValid())

with:

if (class_exists('CApi') && \CApi::IsValid() && $sUserName !== \afterlogic\DAV\Constants::DAV_PUBLIC_PRINCIPAL && $sUserName !== \afterlogic\DAV\Constants::DAV_TENANT_PRINCIPAL)

Should you require any assistance, please don’t hesitate to contact us.

Using DAV sync on cPanel

One of the most attractive features of Afterlogic WebMail Pro and Aurora Corporate is mobile sync, it lets you access your contacts and calendars using a variety of mobile and desktop applications. For instance, you can use emClient on Windows – and on iOS, DAV sync is supported natively.

To make DAV sync work, webserver reconfiguration may be needed. Note that for WebMail Pro, the product has to be installed from ZIP package – using cPanel installer won’t allow for using advanced features like DAV access.

It’s quite common for our webmail products to be installed on hosting servers powered by cPanel. Even though reconfiguring webserver directly isn’t exactly an option, it’s still possible to make use of DAV there. As a part of WebMail Pro and Aurora Corporate packages, .htaccess file is shipped, and the following section of that file should make it possible to use DAV access.

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

By default, DAV access is performed via URL that’s obtained by appending /dav.php/ to the product installation URL. For some DAV clients, however, that’s not going to work, including CalDAV client on iOS devices – it needs a dedicated subdomain or port used for DAV access.

Fortunately, it’s fairly easy to do that, even without being able to play with web server configuration files.

1. Create dav directory in WebMail/Aurora installation root.
   
2. Using cPanel web interface, create a subdomain pointing to dav/ directory of WebMail Pro, you can name it dav.yourdomain.com or something like that.
   
3. Copy dav.php file into dav/ directory, rename it into index.php, and modify its include_once line as follows:
   
   include_once '../system/autoload.php';
   
   
4. Copy .htaccess file from WebMail Pro root to dav/ directory.
   
5. Specify new URL in Mobile Sync area of admin interface, or directly in data/settings/modules/Dav.config.json file, ExternalHostNameOfDAVServer parameter.