Hmailserver Vulnerabilities
Octaviano Collars
Summary: hMailServer is an open-source mail server for Windows. Any webmail system which supports IMAP, SMTP, and POP3 can be used with hMailServer. We have hardened this image for production-ready consumption and secured the image from all existing vulnerabilities.
Subscribe to our offering and start consuming the hMailServer in minutes. Easy to onboard, no installation required. Some basic concepts and terminology, SMTP SMTP stands for Simple Mail Transfer Protocol. SMTP is used when email is delivered from an email client, such as Outlook Express, to an email server or when email is delivered from one email server to another. The port may be 25 or 587 depending on your SMTP.
IMAPIMAP stands for Internet Message Access Protocol. It, too, is a protocol that an email client can use to download email from an email server. The IMAP protocol is designed to let users keep their email on the server. IMAP requires more disk space on the server and more CPU resources than POP3, as all emails are stored on the server. IMAP normally uses port 143.
In order to use the application to a full extent one must have existing domain details or they have to create a domain. Please create a domain of your own in any of the sites, there is a cost to create these domains which ranges from 99 cents onwards. Once you create a domain the next step is to set the mx value for that domain in the DNS settings. The vendor who provided the domain will give you access to the DNS settings through their console. Once you get this access set the public DNS name of the instance where you are running the Hmail server in the mx value and set the priority to 10.
BeSTORM is a black box fuzzer, a method of dynamic application security testing, that uncovers unknown security weaknesses during the product development stage, so fixes can be made before a product is launched. This chaos testing style requires no source code to run and offers more than 250 pre-built protocols and modules or the option for custom protocols.
BeSECURE is a vulnerability assessment and management solution. It enables your security team to accurately identify known vulnerabilities, using threat intelligence to prioritize them by risk. This allows the team to focus on the vulnerabilities that pose the highest risk to your infrastructure and cut through the false positives and low-priority weaknesses.
Compliance standards always emerge and evolve. Using a black box fuzzer tool during development, uncovering unknown and undiscovered vulnerabilities can keep your application ahead of any additional security regulations.
Nearly every industry relies on applications and networks to conduct business, though some have more stringent security requirements than others. Organizations in the aviation, automotive, healthcare, and financial sectors have some of the strongest security regulations. Layers of security during software and application development as well as after product deployment are necessary to keep consumers safe and organizations compliant.
Cybersecurity is crucial to the aviation industry. Travelers in the sky need to be protected from any attacks that can prevent airlines from operating normally. Those same customers need to have their payment and sensitive data protected when purchasing a ticket.
Wireless connectivity is becoming commonplace inside of new vehicles. Automotive connectivity to WIFI and Bluetooth are making vehicles a bigger target for cybercriminals. One vulnerability can take down any vehicle with that technology. DAST, Black Box Fuzzing, and SAST during development are a solid foundation of security to prevent these attacks.
Wireless technology and application software are being used more in medical devices to automate and monitor individual healthcare needs. Device security is the utmost priority, preventing risks that can directly endanger lives. Application security is needed to prevent cyber attackers from tampering with devices and stealing private healthcare data. SAST and DAST during development can help find vulnerabilities that can compromise these devices.
Manufacturing industries keep building and assembling essential pieces for everyday life. Any attack on that automation would create a bottleneck in multiple industries that rely on these products. A disruption in manufacturing has been proven to drive up prices and create a negative workflow ripple worldwide. Using layered security solutions prior to deployment and scanning afterwards will help prevent any shutdown.
Financial institutions are still top cyberattacker targets. Monetary apps for banks, credit unions, investment, and retirement firms need the highest cybersecurity measures. Security that prevents cyberattacks should be implemented during development and embedded directly into these applications. Compliance for this industry is only growing with each reported breach.
I'm using hmailserver on a standalone Server 2019 (not a DC). It's for internal mail only, and that's it. So set up for SSL/TLS on port 465 and STARTTLS on port 143 using a self-signed e-mail cert. There's no problem receiving, but unable to send e-mail with a a warning that the certificate can't be verified. Tried to "solve" the problem and I was unable to after a few hours. Overall, I'm not yet convinced where the problem is - the hmailserver program or the Thunderbird program. So time for a new approach. Instead of trying to figure out why it won't work, what can I do to "make" it work? So with a new approach I decided to see if I could find a work-around. I did.
Copy the above to a new line, and the only thing you need to change is the port number. In my case, I changed it from port 143 to port 465 since that's what I use on the hmailserver program for the SMTP port. Then save the file. Now now the file looks like this:my.mail.server:143OID.2.16.840.1.101.3.4.2.1CE:D6:4C: (buch of key gibberish after this)my.mail.server:465OID.2.16.840.1.101.3.4.2.1CE:D6:4C: (buch of key gibberish after this)Now you can restart Thunderbird and when you check the certificate exceptions you'll see the cert listed twice - once for the incoming port and again for the outgoing port. I now have no problem receiving "or" sending e-mail through my end-to-end encrypted hmailserver program.
Thanks for the addition. There have been a few reports of the bug on this forum, so it will help others until it's fixed in the release version. Bugzilla is mainly for developers, but users are certainly welcome to submit bugs, workarounds and requests for new features.
Thank you so much for posting this!! I was going crazy because TB78 wouldn't confirm the security exception (which I need for one of my clients) and TB68 wouldn't work with outlook multi factor authentication (which I needed for another). I have literally spent all day on this and tried claw mail, evolution, mailspring and countless hours on this.
to submit outbound emails into your mail-sever , if you choose port 465 ( aka SMTPS = Mail-Submission Over TLS/SSL ) then you should choose TLS/SSL security/encryption, but if you choose port 587 then you should normally choose StartTLS security/encryption. but mail-server can be configured to use TLS/SSL for port 587 too. avoid using StartTLS, as that has bugs+vulnerabilities+backdoors.
those who are inside residential/home internet connection line , they cannot use port 25 to submit outbound emails into their mail-servers , unless the user calls the ISP & removes the port 25 related restrictions, etc . users with such internet connection line, must use port 465 or 587, etc to submit outgoing/outbound emails to mail-server.
v68 series TB supports older/unsafe TLS security/encryption by default . can be manually configured to disable that. v78 series TB does not support older/unsafe TLS security/encryption by default . can be manually configured to enable that.
you/user can create own root certificate by yourself/ownself to use it as a CA (certificate authority) root certificate , then you/user can create other certificates under that root cert, for example, certificate(s) for your mail-server, web-server, etc. if you load that CA root cert in TB & in mail-server's (hmailserver in windows) root cert collection/database , then various certificate handling operations become bit more easier.
Alpha Ransomware
Alpha, a ransomware that emerged in February 2023, has intensified its operations in the past few weeks. Researchers have recently identified significant resemblances between the Alpha ransomware and the long-defunct NetWalker ransomware, which vanished in January 2021 following an international law enforcement operation.
Connection with the NetWalker ransomware.
When analyzing Alpha, researchers discovered notable similarities with the outdated NetWalker ransomware. Both threats employ a similar loader based on PowerShell to deliver their payloads.
Upon installing the MDM profile, cybercriminals acquire unauthorized control over the device, exploiting features like remote wipe, device tracking, and application management. This control allows them to install malicious applications and gather the necessary information. Notably, the GoldPickaxe.iOS malware, integrated into the MDM abuse scheme, masquerades as a Thai government service app, adding a layer of deception to its malicious activities.
GoldPickaxe.Android
The GoldPickaxe Android variant exhibits greater functionality compared to its iOS counterpart, masquerading as over 20 different applications from various sectors in Thailand, enabling the theft of login credentials from government, financial, and utility services. This variant, potentially an evolved form of GoldDiggerPlus, retains unused functions. Upon entering the username and phone number on the initial login page, victims set a password for the Digital Pension app, undergoing password validation. Subsequently, the application prompts users to enable Accessibility Service in the Settings page.