Re: [habari-private] Security Contact

[Chris Meller]

If we're going to use a form instead of having users mail security@hp.o directly, why do we need an email relay script? We could easily just set the email's FROM header to be security@hp.o, which is already set as a member of the list.

On Mon, Dec 1, 2008 at 10:22 PM, Sean Coates <se...@caedmon.net> wrote:

Hi,

Reading back a few threads, I see that we've not yet been able to
successfully supply a method for users to report security problems,
privately. I think this is very important to the integrity of Habari,
especially as it gains more users.

I understand that we have some problems with respect to this and
Google Groups.

So, I've taken the liberty of setting up habaris...@iconoclast.caedmon.net
 (my server)—it automatically rewrites the headers and sends mail to
the private list (as you probably saw with my tests). Michael (Harris)
helped me set up this first step. If this isn't cool, feel free to
remove permission for this address from the list/group.

Unfortunately, Google Groups hacks up the email and drops a bunch of
headers (or so it seems), so I propose this the following.

Set up a "Report a security issue" link on hp.o (and link it in trac,
if possible) that takes the user to a form that asks for:
Name (optional), Email (optional), Description of vulnerability. The
processor of this form is a script that collates the data and emails
it (in the body) to habaris...@iconoclast.caedmon.net, which
relays it to the private list.

This bypasses the groups problem, keeps the address non-public and
allows us to CC the reporter on replies (if we choose). As a policy, I
think we should mail all reporters to let them know we've received
their report.

Thoughts? (perhaps this should be a thread on habari-dev?)

S

--

Bob Dole  - "The internet is a great way to get on the net."

[Sean Coates]

If we're going to use a form instead of having users mail security@hp.o directly, why do we need an email relay script? We could easily just set the email's FROM header to be security@hp.o, which is already set as a member of the list.

Yeah, there was some concern about using a form instead of security@

If we go the form route, that's entirely possible. If we add security@, GG forces us to relay/rewrite.

I haven't touched the script yet.

S

[Chris Meller]

If someone is concerned about anonymity, I think having a form on the website would be a good idea. There are tons of proxies, including things like Tor, available for protecting your privacy on the web. Doing something similar for email could be more troublesome (and spammy).

We would still want security@hp.o to be available, but having an additional form on the site would probably be a good thing.

--

Shelley Winters  - "Whenever you want to marry someone, go have lunch with his ex-wife."

[Sean Coates]

We would still want security@hp.o to be available, but having an additional form on the site would probably be a good thing.

I have no problem with this.. we might have to consider spam later, but for now, I think providing both is a good idea.

S

[Sean Coates]

We would still want security@hp.o to be available, but having an additional form on the site would probably be a good thing.

So, this morning I was finally able to come up for air, and whipped up this script. It's not perfect, but I think it works for now (it's not yet MIME-aware). Basically, we just need secu...@habariproject.org to pipe mail to (an altered version of (at least the addresses need changing)) this script.

Thoughts?

S

===

#!/usr/local/bin/php

<?php

$input = str_replace("\r", '', file_get_contents('php://stdin'));

list($headers, $body) = explode("\n\n", $input, 2);

if (!$headers || !$body) {

    die();

}

$key = null;

$from = '';

$subject = '[SECURITY] ';

foreach (explode("\n", $headers) as $header) {

    if (strpos($header, ':') !== false) {

        list($key, $val) = explode(': ', $header, 2);

    } else {

        $val = $header;

    }

    switch (strtolower($key)) {

        case 'from':

            $from .= $val;

            break;

        case 'subject':

            $subject .= $val;

            break;

        default:

            // ignore

    }

}

if (ctype_print($from) && ctype_print($subject)) {

    $body .= "\nOriginal headers:\n" . print_r($headers, true);

    $mailHeaders = "From: habar...@iconoclast.caedmon.net\nCc: " . $from;

    mail('scoate...@googlegroups.com',$subject,$body, $mailHeaders);

}

[Chris Meller]

And how do we get the mail to run through this script?

[Sean Coates]

> And how do we get the mail to run through this script?

Depends what MTA is installed, but most will allow us to do something
like this in /etc/aliases:

security: |/path/to/script

(the script has to be in the appropriate location and must be +x)

It's working, currently, on my test setup (postfix).

S

[Chris Meller]

Exim is the only thing currently running on hp.o (it's used for sending mail). Any ideas on it?

[Sean Coates]

> Exim is the only thing currently running on hp.o (it's used for
> sending mail). Any ideas on it?

From what I can tell, this works with exim, but might need some setup
with the weird router and transport stuff that Exim does (and I
haven't run exim in years, so I really don't know).

Anyone else?

S

[Chris Meller]

You're more than welcome to install something else on hp.o. Exim comes pre-installed and was the easiest to configure for outgoing-only, so I went with it. There's no particular attachment...

[Sean Coates]

> You're more than welcome to install something else on hp.o. Exim
> comes pre-installed and was the easiest to configure for outgoing-
> only, so I went with it. There's no particular attachment...

Done. (-:
We now have a functioning secu...@habariproject.net (not .org yet).
Can someone please redirect the MX records for hp.o to point at the
same IP as www ?

S

[ringmaster]

On Dec 13, 1:52 pm, Sean Coates <s...@caedmon.net> wrote:
>
> We now have a functioning secur...@habariproject.net (not .org yet).  

> Can someone please redirect the MX records for hp.o to point at the  
> same IP as www ?
>

There are no MX records on hp.n, if that's what you meant. Can you be
more explicit in what you want me to do so I don't screw stuff up?

Is there any way we could put whatever you're doing there on the ho.p
server itself, or is that where it is already?

Owen

[Chris Meller]

It's there already. He means we need the hp.o MX record changed. We were just using hp.n for testing.

[Sean Coates]

> There are no MX records on hp.n, if that's what you meant. Can you be
> more explicit in what you want me to do so I don't screw stuff up?
>
> Is there any way we could put whatever you're doing there on the ho.p
> server itself, or is that where it is already?

Hi,

Sorry this was unclear.

Please change the MX for hp.o to point at www.hp.o instead of google.

Thanks.

S

[Caius Durling]

We're now getting spam through to -private due to security@ not being spam filtered. Why didn't we setup hp.o with google apps and just forward all mail from security@ to -private (or where-ever)?

That would take care of both the spam issue effectively.

C

---

Caius Durling

ca...@caius.name

+44 (0) 7960 268 100

http://caius.name/

[Chris Meller]

You can't just forward it, because then we'd have to accept emails from any address to -private (since we don't know the address it's coming from). We had to setup a script to "rewrite" or "redirect" them with a from address we knew so we could add that to the membership of -private.

[Caius Durling]

On 15 Dec 2008, at 12:38, Chris Meller wrote:

You can't just forward it, because then we'd have to accept emails from any address to -private (since we don't know the address it's coming from). We had to setup a script to "rewrite" or "redirect" them with a from address we knew so we could add that to the membership of -private.

Surely when you forward it, google apps changes the from address?

If not, why not go that route again, but have this script pick up new emails from the Gapps account so google is filtering spam for us.

[Chris Meller]

On Mon, Dec 15, 2008 at 7:53 AM, Caius Durling <ca...@caius.name> wrote:

On 15 Dec 2008, at 12:38, Chris Meller wrote:

You can't just forward it, because then we'd have to accept emails from any address to -private (since we don't know the address it's coming from). We had to setup a script to "rewrite" or "redirect" them with a from address we knew so we could add that to the membership of -private.

Surely when you forward it, google apps changes the from address?

Nope, I was unable to achieve the functionality we need with google apps.

 

If not, why not go that route again, but have this script pick up new emails from the Gapps account so google is filtering spam for us.

Because that would be horribly inefficient and a totally different approach from our current implementation?

That's why I setup the Google Apps account for hp.o in the first place, hoping we could get it to work like we needed it. Unless we do a regularly-scheduled IMAP check every x minutes, there's no way we could get security@hp.o to work from Google Apps, unless we maintained a separate distribution list independent of -private... which I don't think anyone really wants.

If you want to throw together a quick IMAP-checking script, I don't think anyones feelings would be hurt if we tried it out. Sean wrote this one simply because it seemed the best way to handle what we needed it to handle at the time. 

[Caius Durling]

On 15 Dec 2008, at 13:15, Chris Meller wrote:

Because that would be horribly inefficient and a totally different approach from our current implementation?

That's why I setup the Google Apps account for hp.o in the first place, hoping we could get it to work like we needed it. Unless we do a regularly-scheduled IMAP check every x minutes, there's no way we could get security@hp.o to work from Google Apps, unless we maintained a separate distribution list independent of -private... which I don't think anyone really wants.

If you want to throw together a quick IMAP-checking script, I don't think anyones feelings would be hurt if we tried it out. Sean wrote this one simply because it seemed the best way to handle what we needed it to handle at the time. 

I was just trying to think of a way to filter the spam out easily. Are there any spam filtering plugins/scripts for the mailserver we're running on the slice (exim?)

[Chris Meller]

I believe Sean setup postfix to receive the mail. I don't know if exim is still in the mix at all.

Running a spam filter is a usually CPU-intensive task, so if we could avoid sticking that on our slice that'd probably be best. If that's the only other option, I'd much rather use Google Apps with an IMAP check...

[Matthias Bauer]

Caius Durling wrote:
>
> On 13 Dec 2008, at 18:52, Sean Coates wrote:
>
>>
>>> You're more than welcome to install something else on hp.o. Exim
>>> comes pre-installed and was the easiest to configure for outgoing-
>>> only, so I went with it. There's no particular attachment...
>>
>> Done. (-:
>> We now have a functioning secu...@habariproject.net

>> <mailto:secu...@habariproject.net> (not .org yet).

>> Can someone please redirect the MX records for hp.o to point at the
>> same IP as www ?
>
> We're now getting spam through to -private due to security@ not being
> spam filtered. Why didn't we setup hp.o with google apps and just
> forward all mail from security@ to -private (or where-ever)?

Put fetchmail on a cron and use the script as the local delivery agent
for that account (via .forward, .procmailrc or whatever)?

-Matt

[Sean Coates]

> I believe Sean setup postfix to receive the mail. I don't know if
> exim is still in the mix at all.

Correct, no more exim. If someone wants to make it work via imap or
exim, my feeling would in fact not be hurt. I was merely trying to
solve the problem, and apart from a few spams to security@ (which I'm
happy to ignore in the short term), it seems to be working.

> Running a spam filter is a usually CPU-intensive task, so if we
> could avoid sticking that on our slice that'd probably be best. If
> that's the only other option, I'd much rather use Google Apps with
> an IMAP check...

Agreed. On my box, the main resource hog is spam filtering.

S

[ringmaster]

On Dec 15, 10:04 am, Sean Coates <s...@caedmon.net> wrote:
>
> Correct, no more exim. If someone wants to make it work via imap or  
> exim, my feeling would in fact not be hurt. I was merely trying to  
> solve the problem, and apart from a few spams to security@ (which I'm  
> happy to ignore in the short term), it seems to be working.

I have a solution for this that will work long-term and won't require
that we bounce emails through GMail. I may need to change the
incoming port on the email service.

Anyway, I'll hook it up tomorrow.

Owen

[ringmaster]

On Dec 15, 8:08 pm, ringmaster <epit...@gmail.com> wrote:
>
> Anyway, I'll hook it up tomorrow.

Or... as soon as the registration comes in.

It's all hooked up now. Email to security@hp.o is routed through
Google/Postini before it hits our server.

The only thing that potentially remains is to close incoming requests
to port 25 on hp.o except from Google/Postini, but unless we see a
spam problem where spammers are connecting directly to the hp.o server
(which is no longer the destination of the MX records), we probably
don't need to worry about that at least for a while.

Owen