hMailServer web-interface redesign

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
AndyW
New user
New user
Posts: 5
Joined: 2017-01-07 09:57

Re: hMailServer web-interface redesign

Postby AndyW » 2017-01-20 18:58

Can anyone tell me where to change the link to webmail?

Currently it is set as webmail.domain.com in the interface, but my webmail resides at domain.com/webmail

Thank you :)

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-01-20 21:18

AndyW wrote:Can anyone tell me where to change the link to webmail?

Currently it is set as webmail.domain.com in the interface, but my webmail resides at domain.com/webmail

Thank you :)


It's inside include_treemenu.php line 28. This was a test and will be in config file in future.

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-01-20 23:07

New version available! Download v0.9.5 beta

One of the changes is new definition in config.php called "webmail". It's description is in config-dist.php

What's new:
[fix] server start/stop button
[fix] minor typos in pages
[fix] invisible checkboxes
[fix] some mobile submenus unresponsive to click
[tweak] XHTML to HTML5 declaration
[tweak] more things translated
[new] removed all old JS and CSS
[new] count TCP/IP ports in menu
[new] define webmail link in config.php
[new] external accounts inside account

tester02
New user
New user
Posts: 24
Joined: 2016-04-09 23:28

Re: hMailServer web-interface redesign

Postby tester02 » 2017-01-20 23:50

In the dropdown menu for the userstatus only the options according to the user-level-right gets displayed.
And for the "usual" user Enabled / Disabled is explained by status.

hm_account.php

Code: Select all

        <p><?php EchoTranslation("Administration level")?></p>
        <select name="accountadminlevel" <?php if ($admin_rights == 0) echo " disabled ";?> class="medium">
        <?php 
        if ($admin_rights >= 0) {
          echo '<option value="0"';
          if ($accountadminlevel == 0) echo " selected ";
          echo '>'.$str_user.'</option>';
        }
        if ($admin_rights == 1) {
          echo '<option value="1"';
          if ($accountadminlevel == 1) echo " selected ";
          echo '>'.$str_domain.'</option>';
        }
        if (hmailGetAdminLevel() === ADMIN_SERVER) {
          echo '<option value="2"';
          if ($accountadminlevel == 2) echo " selected ";
          echo '>'.$str_server.'</option>';
        }
        ?>
        </select>   
<?php
   if ($admin_rights)
      PrintCheckboxRow("accountactive", "Enabled", $accountactive);
   else {
        if ($accountactive == 1)
            echo '<p>'.$obLanguage->String("Status").': '.$obLanguage->String("Enabled").'</p>';
        else
            echo '<p>'.$obLanguage->String("Status").': '.$obLanguage->String("Disabled").'</p>';
   }
?>

User avatar
RvdH
Senior user
Senior user
Posts: 457
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer web-interface redesign

Postby RvdH » 2017-01-28 13:57

Version 5.6.7 - Build 2407 BETA (2017-01-26)

  • Various security-related improvements have been made to hMailServer WebAdmin, primarily to reduce the risk of attacks using XSS and CSRF.
  • OpenSSL has been upgraded to 1.0.2k
https://build.hmailserver.com/viewType. ... ilServer56
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 457
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer web-interface redesign

Postby RvdH » 2017-01-28 14:48

RvdH wrote:Version 5.6.7 - Build 2407 BETA (2017-01-26)

  • Various security-related improvements have been made to hMailServer WebAdmin, primarily to reduce the risk of attacks using XSS and CSRF.
  • OpenSSL has been upgraded to 1.0.2k
https://build.hmailserver.com/viewType. ... ilServer56


All changes to PhpWebAdmin listed here:

https://github.com/hmailserver/hmailser ... 5c96e2d5d2
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-01-30 19:09

Hey all, new version available: Download v0.9.6 beta

Changelog:
[new] view queued messages source (click on message ID)
[new] merged security improvements from Version 5.6.7 - Build 2407 BETA
[tweak] renamed from PHPWebAdmin to hMailAdmin
[tweak] javascripts and fonts no longer loaded remotely (due to security restrictions)
[fix] live refresh of queued messages on dashboard
[fix] typo in hm_tcpipport.php

katip
Senior user
Senior user
Posts: 449
Joined: 2006-12-22 07:58
Location: Istanbul

Re: hMailServer web-interface redesign

Postby katip » 2017-01-30 19:59

coax wrote:Hey all, new version available: Download v0.9.6 beta

trivial but for the sake of integrity...
IP ranges expire date format comes as DD-MM-YYYY (required YYYY-MM-DD)
OTOH Users auto-reply "Automatically expires" is ok.
Looks good btw, thanks!
Katip
--
HMS 5.6.6.2383, MySQL 5.5.46, SpamAssassin 3.4.1, ClamAV 0.99.2 + SaneS & SecuriteI

User avatar
mattg
Moderator
Moderator
Posts: 17430
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer web-interface redesign

Postby mattg » 2017-01-31 00:09

katip wrote:
coax wrote:Hey all, new version available: Download v0.9.6 beta

trivial but for the sake of integrity...
IP ranges expire date format comes as DD-MM-YYYY (required YYYY-MM-DD)

They should be in local time format I'd think.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

katip
Senior user
Senior user
Posts: 449
Joined: 2006-12-22 07:58
Location: Istanbul

Re: hMailServer web-interface redesign

Postby katip » 2017-01-31 05:42

mattg wrote:They should be in local time format I'd think.

yes, IMO local format would be better (in hMailAdmin.exe they're in YYY-MM-DD format though).
but in either case they should appear same in all sections i meant.
pls see images.
Attachments
download.png
IP-ranges
download.png (5.43 KiB) Viewed 4755 times
download (1).png
auto-reply
download (1).png (6.4 KiB) Viewed 4755 times
Katip
--
HMS 5.6.6.2383, MySQL 5.5.46, SpamAssassin 3.4.1, ClamAV 0.99.2 + SaneS & SecuriteI

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-01-31 12:27

katip wrote:
coax wrote:Hey all, new version available: Download v0.9.6 beta

trivial but for the sake of integrity...
IP ranges expire date format comes as DD-MM-YYYY (required YYYY-MM-DD)
OTOH Users auto-reply "Automatically expires" is ok.

These are the same as in original PHPWebAdmin. I agree they should be consistent and will be fixed in next release. Please check all the sections to look for more of these and let me know.

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-02-01 12:51

v0.9.7 available for download

Changelog:
[tweak] convert all dates to ISO (YYYY-MM-DD HH:MM:SS) due consistency
[tweak] dashboard optimizations in JSON
[fix] typo in background_account_save.php
[fix] minor fixes in validation fields

jwbowers
New user
New user
Posts: 2
Joined: 2017-02-02 04:07

Re: hMailServer web-interface redesign

Postby jwbowers » 2017-02-02 04:31

First of all... @coax - NICE JOB!
This is a project I had considered tackling myself a number of times, but just never got around to it. I'm a .NET developer who knows very little about PHP, but now that I know that this project exists, I will be glad to contribute however I can.

I loaded up the most recent beta on my server tonight and gave it a test... there are a few things I noticed, so I'll provide some feedback.

I use greylisting on my server, but I occasionally use the webAdmin interface to turn it off temporarily. I noticed that in the "DOMAINS > [my domain] > Greylisting" settings, the box is not checked for any of my domains, even though I have verified that it is enabled.

When I click on "IP Ranges" from the menu and see the list appear in the main panel, the "Expires (min)" is showing the number of minutes until the ban expires. Is that correct? Yet, when I click on range to show the details, I can see the expiration date/time in ISO format. That is much more intuitive than the number of minutes.

Finally, I was excited to see a log parser on the menu! Examining the logs remotely is something I've wanted to be able to do from time to time. When I tried it out, however, it prompted me to select a file... which was coming from my desktop machine, not the mail server. Is it possible to add a configuration setting to specify the log file location on the server and then be able to browse and select a log file to parse?

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-02-02 11:35

jwbowers wrote:I use greylisting on my server, but I occasionally use the webAdmin interface to turn it off temporarily. I noticed that in the "DOMAINS > [my domain] > Greylisting" settings, the box is not checked for any of my domains, even though I have verified that it is enabled.

Already fixed for next version.

When I click on "IP Ranges" from the menu and see the list appear in the main panel, the "Expires (min)" is showing the number of minutes until the ban expires. Is that correct? Yet, when I click on range to show the details, I can see the expiration date/time in ISO format. That is much more intuitive than the number of minutes.

I agree, just minutes is not that intuitive and hard to get. I'll change it to something simpler.

Finally, I was excited to see a log parser on the menu! Examining the logs remotely is something I've wanted to be able to do from time to time. When I tried it out, however, it prompted me to select a file... which was coming from my desktop machine, not the mail server. Is it possible to add a configuration setting to specify the log file location on the server and then be able to browse and select a log file to parse?

Implemented Log viewer is something I found on GitHub and it's a simple JS/HTML5 parser of uploaded file (better something than nothing, right?). Server-side log parser doesn't exist and agree that is one of the most important things this web admin is lacking. As I'm also ASP programmer I hope someone will join the project and code the true log parser we all badly need - I also wrote it in roadmap since initial release.

The solution for server-side log viewer would be for someone to code:
- Dropdown with date selection (so parser would read only that log).
- Another dropdown with options POP3, delivery, etc (so parser would filter only that event).
- Text field (so we can filter out single e-mail).
- Search button.
- Textarea with results.
This would, of course, need the good understanding of HMS API and PHP to read Log folder contents.

Thanks for your input.

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-02-03 21:58

Hey y'all, I just published new release on GitHub. Download v0.9.8 beta here

@tunis and me put our brains together and made an awesome log parser that directly parses server files; you can choose log date, event type and even filter by keywords (a question mark next to IP opens IP2Country page to see where that request came from).

Image

Changelog:
[new] powerful log parser (using server-side logs)
[new] datepicker for date fields
[tweak] IP Ranges expiry date more friendly
[fix] greylisting checkbox in hm_domain.php

There might be some minor fixes in the following days, but I think this is last "major" beta release before publishing "stable" v1.0 (keep them feedback coming).
Sadly, I haven't got PM reply from @martin and I don't know what's his opinion on this... this project would be a great addition to next HMS release giving it "pro" look and attract more potential customers.

User avatar
mattg
Moderator
Moderator
Posts: 17430
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer web-interface redesign

Postby mattg » 2017-02-04 00:57

Looking good

I like the log viewer

some little things:-
#1 in log viewer 'TCP/IP' should all be capital letters
#2 expiry dates in IP ranges show 2 months and 7 months, when my autoban setting is for 7 days.
In the admin GUI the dates show as '5/02/2017 10:09:13 PM' and '10/02/2017 3:42:35 AM', and date today (for me) is 4th Feb 2017, so the expires in times should be 1 day and 6 days
#3 the 'Server' graph on the dashboard still doesn't say what it is graphing, and what the values are
#4 in the processed messages graphic, can the 'virus' messages also be counted, and shown as say red on the wheel graph
#5 the login is saved across browser sessions, ie when I close my browser and re-open it I remain logged in. I'd rather that the browser used session cookies so that if I access this from a strange computer that the login doesn't happen automatically when someone else opens the browser and goes through my history, irrespective of whether or not I log out. I see that this uses the same cookies as the PHPWebAdmin - you log into one then you log into both, so maybe this is also an issue with the regular PHPWebAdmin

edit: yep confirmed that PHPWebAdmin has same cookie issue
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tunis
Normal user
Normal user
Posts: 141
Joined: 2015-01-05 20:22
Location: Sweden

Re: hMailServer web-interface redesign

Postby tunis » 2017-02-04 13:18

mattg wrote:Looking good
#5 the login is saved across browser sessions, ie when I close my browser and re-open it I remain logged in. I'd rather that the browser used session cookies so that if I access this from a strange computer that the login doesn't happen automatically when someone else opens the browser and goes through my history, irrespective of whether or not I log out. I see that this uses the same cookies as the PHPWebAdmin - you log into one then you log into both, so maybe this is also an issue with the regular PHPWebAdmin


When I close my browser and re-open I'm not inlogged.
I have looked at PHP session cookie in fiddler and I get a different id every time I restart the browser.
HMS 5.6.6 B2383.7 on Windows Server 2016 Core VM.
HMS 5.6.7 B2407.9 on Windows Server 2012 R2 Core VM.

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-02-04 15:01

mattg wrote:#1 in log viewer 'TCP/IP' should all be capital letters

Fixed for next release.

#2 expiry dates in IP ranges show 2 months and 7 months, when my autoban setting is for 7 days.
In the admin GUI the dates show as '5/02/2017 10:09:13 PM' and '10/02/2017 3:42:35 AM', and date today (for me) is 4th Feb 2017, so the expires in times should be 1 day and 6 days

I can't reproduce that. It ain't due to timezone, strange.

#3 the 'Server' graph on the dashboard still doesn't say what it is graphing, and what the values are

It's all open sessions and graph is there just to look nice. I can't make it better due to Chartist.js limitations, hence the PayPal donation link to buy Grafs.js community license and replace Chartist with Grafs in the future.

#4 in the processed messages graphic, can the 'virus' messages also be counted, and shown as say red on the wheel graph
They are being shown, but cannot color to red. Same reason as above above.

#5 the login is saved across browser sessions, ie when I close my browser and re-open it I remain logged in. I'd rather that the browser used session cookies so that if I access this from a strange computer that the login doesn't happen automatically when someone else opens the browser and goes through my history, irrespective of whether or not I log out. I see that this uses the same cookies as the PHPWebAdmin - you log into one then you log into both, so maybe this is also an issue with the regular PHPWebAdmin

edit: yep confirmed that PHPWebAdmin has same cookie issue

hMailAdmin uses same backend and logic as PHPWebAdmin.

User avatar
jimimaseye
Moderator
Moderator
Posts: 6258
Joined: 2011-09-08 17:48

Re: hMailServer web-interface redesign

Postby jimimaseye » 2017-02-04 16:17

coax wrote:
#2 expiry dates in IP ranges show 2 months and 7 months, when my autoban setting is for 7 days.
In the admin GUI the dates show as '5/02/2017 10:09:13 PM' and '10/02/2017 3:42:35 AM', and date today (for me) is 4th Feb 2017, so the expires in times should be 1 day and 6 days

I can't reproduce that. It ain't due to timezone, strange.

I suspect it is related to local/regional settings. I matts case it is translating today (4th Feb 2017) as 04/02/17 but in mm/dd/yy format - so reading as 2nd April 2017. And his (first) date of 05/02/17 is translated to 2nd May 2017 - the difference being 1 month (from 2nd April). His second date (10/02/2017) being translated to 2nd October 2017 which is 6 months. (I presume the extra month in both cases is something to do with the actual time offset but it gives you enough to work on).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-02-04 21:39

jimimaseye wrote:I suspect it is related to local/regional settings. I matts case it is translating today (4th Feb 2017) as 04/02/17 but in mm/dd/yy format - so reading as 2nd April 2017. And his (first) date of 05/02/17 is translated to 2nd May 2017 - the difference being 1 month (from 2nd April). His second date (10/02/2017) being translated to 2nd October 2017 which is 6 months. (I presume the extra month in both cases is something to do with the actual time offset but it gives you enough to work on).

Of course! I fixed it for next release :)

kangarolf
New user
New user
Posts: 18
Joined: 2011-03-01 11:32

Re: hMailServer web-interface redesign

Postby kangarolf » 2017-03-03 20:55

Hi there,

Thanks for your efforts very nice and useful.

I found it counter intuative to get to the account editing sections. It would be nice to have a direct link once you have clicked on a domain, especially as I have 100's of domains and so I have to do this..

Click domains
Find domain in list and click
SCroll down page so that I can now see the domain again in the domain list in the left border
Hover over domain
Click accounts

Be a lot easier if I could click domain > click accounts

Also the flipout that appears when you hover over domains is not scrollable so I cant get to most of my domains.

Thanks again

Rolf

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-03-12 18:25

New update! Download v1.1 here

What's new:
[new] country name and flag in auto-ban info
[tweak] navigation UI improvements
[tweak] CSS revamp
[tweak] selected domain shows all submenus
[fix] typos in hm_account_externalaccount.php

katip
Senior user
Senior user
Posts: 449
Joined: 2006-12-22 07:58
Location: Istanbul

Re: hMailServer web-interface redesign

Postby katip » 2017-03-12 18:53

coax wrote:[new] country name and flag in auto-ban info

BTW, i think it's a better idea to remove flag from IP ranges covering non-routable addresses, i.e. LAN, localhost..
inevitably, it loads broken.
Katip
--
HMS 5.6.6.2383, MySQL 5.5.46, SpamAssassin 3.4.1, ClamAV 0.99.2 + SaneS & SecuriteI

prisma
Senior user
Senior user
Posts: 300
Joined: 2010-07-09 13:16

Re: hMailServer web-interface redesign

Postby prisma » 2017-03-14 11:43

Got an error directly on http://localhost/?page=account&action=e ... countid=10

Code: Select all

Operation failed
Description: strtotime(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function.
In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '1.0/no DST' instead
Script: functions.php


System is Server 2008 Core, php version is 5.3.2

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-03-16 11:50

prisma wrote:Got an error directly on http://localhost/?page=account&action=e ... countid=10

Code: Select all

Operation failed
Description: strtotime(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function.
In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '1.0/no DST' instead
Script: functions.php


System is Server 2008 Core, php version is 5.3.2


You'll need to edit your php.ini
http://stackoverflow.com/questions/16765158/date-it-is-not-safe-to-rely-on-the-systems-timezone-settings

User avatar
mattg
Moderator
Moderator
Posts: 17430
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer web-interface redesign

Postby mattg » 2017-03-16 12:41

Haven't updated for a while

I have it installed in www.example.com/hMailAdmin

When I browse to that page, I get the log on screen.
After I log on browser tries to load and fails
www.example.com/WebAdminindex.php

don't know where this is coming from...
should be something like

www.example.com/hMailAdmin/index.php

Any ideas
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-03-16 13:15

mattg wrote:Haven't updated for a while

I have it installed in http://www.example.com/hMailAdmin

When I browse to that page, I get the log on screen.
After I log on browser tries to load and fails
http://www.example.com/WebAdminindex.php

don't know where this is coming from...
should be something like

http://www.example.com/hMailAdmin/index.php

Any ideas


You're probably missing last "/" in your config.php

eg. $hmail_config['rooturl'] = "http://www.example.com/hmailadmin/";

User avatar
mattg
Moderator
Moderator
Posts: 17430
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer web-interface redesign

Postby mattg » 2017-03-16 13:54

no, that's there....

EDIT but you made me look harder.
I had two install folders on my website, and my bookmark pointed to the OLD one which was broken

Fixed my bookmark, deleted the old install folder

Works now... :D
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 17430
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer web-interface redesign

Postby mattg » 2017-04-18 09:09

Mail that is being forwarded to a local address shows a 'next try time' of Midnight, 1 January 1970
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tunis
Normal user
Normal user
Posts: 141
Joined: 2015-01-05 20:22
Location: Sweden

Re: hMailServer web-interface redesign

Postby tunis » 2017-05-06 18:52

For you that has added dmarc record for your domain I have make a dmarc report page.
It's download the reports from a imap account and then delete all mail (use a dedicated account for this reports). Reports are save to a directory and the phrased to a report.

To get all dmarc reports from receivers that use dmarc for test, add fo=1 in your dmarc record.

Copy file to root and edit hm_dmarcreports.php
Attachments
dmarcreports.zip
(6.82 KiB) Downloaded 20 times
HMS 5.6.6 B2383.7 on Windows Server 2016 Core VM.
HMS 5.6.7 B2407.9 on Windows Server 2012 R2 Core VM.

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-06-12 17:18

New version available. Download v1.2

Changelog:
[fix] multiple typos and small fixes
[fix] dropdowns in rule criteria actions
[fix] distribution lists checkboxes
[new] distribution list add/edit/delete members
[fix] maxlength added to account input fields

User avatar
delphiham
New user
New user
Posts: 13
Joined: 2016-03-10 22:33

Re: hMailServer web-interface redesign

Postby delphiham » 2017-07-12 23:54

If they used the "web-interface redesign" with an XSS-Protection on the webserver, then set the following headers on a .htaccess File (only with Apache)

Code: Select all

<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self'"
Header set Referrer-Policy "no-referrer"
</IfModule>


You need the module "mod_headers" on the Apache Webserver!
o

L_
OL
This is Schäuble. Copy Schäuble into your signature to help him on his way to Überwachungsstaat.

User avatar
RvdH
Senior user
Senior user
Posts: 457
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer web-interface redesign

Postby RvdH » 2017-07-23 02:46

Why? Sorry, but i like to know why...i mean where is this coming from?

meanwhile for IIS:

Code: Select all

<system.webServer>
   <httpProtocol>
      <customHeaders>
         <add name="X-Content-Type-Options" value="nosniff" />
         <add name="X-XSS-Protection" value="1; mode=block" />
         <add name="X-Frame-Options" value="SAMEORIGIN" />
         <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self'" />
         <add name="Referrer-Policy" value="no-referrer" />
      </customHeaders>
   </httpProtocol>
   
    ...
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

tunis
Normal user
Normal user
Posts: 141
Joined: 2015-01-05 20:22
Location: Sweden

Re: hMailServer web-interface redesign

Postby tunis » 2017-07-23 10:32

RvdH wrote:Why? Sorry, but i like to know why...i mean where is this coming from?


Here is some for nginx configuration with some explanations and sources.

add_header X-Frame-Options SAMEORIGIN;

Config to don't allow the browser to render the page inside an frame or iframe
and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
if you need to allow (i)frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
https://developer.mozilla.org/en-US/doc ... me-Options

add_header X-Content-Type-Options nosniff;

When serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
to disable content-type sniffing on some browsers.
https://www.owasp.org/index.php/List_of ... TP_headers
Currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008 ... pdate.aspx
http://msdn.microsoft.com/en-us/library ... 41(v=vs.85).aspx
'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020

add_header X-XSS-Protection "1; mode=block";

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
this particular website if it was disabled by the user.
https://www.owasp.org/index.php/List_of ... TP_headers

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://www.facebook.com https://s-static.ak.facebook.com; object-src 'none'";

With Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
you can tell the browser that it can only download content from the domains you explicitly allow
http://www.html5rocks.com/en/tutorials/ ... ty-policy/
https://www.owasp.org/index.php/Content_Security_Policy
I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
directives for css and js(if you have inline css or js, you will need to keep it too).
more: http://www.html5rocks.com/en/tutorials/ ... ed-harmful
HMS 5.6.6 B2383.7 on Windows Server 2016 Core VM.
HMS 5.6.7 B2407.9 on Windows Server 2012 R2 Core VM.

User avatar
delphiham
New user
New user
Posts: 13
Joined: 2016-03-10 22:33

Re: hMailServer web-interface redesign

Postby delphiham » 2017-07-23 20:17

@Tunis. Thanks for the very good explanation about this :-).
o

L_
OL
This is Schäuble. Copy Schäuble into your signature to help him on his way to Überwachungsstaat.

jwbowers
New user
New user
Posts: 2
Joined: 2017-02-02 04:07

Re: hMailServer web-interface redesign

Postby jwbowers » 2017-08-10 20:08

I've been using this for the past several months in total bliss. A few days ago, I was away from home and needed to create a distribution list. Although I could create the list, I couldn't enable it or add members to it. Now that I'm back home, I spent some time looking into the matter. I was still using version 0.9.8, and I see that version 1.2 includes the new functionality to edit/manage distribution list members. I installed and configured it, and it works just fine. Great!

However, I noticed that the "Enabled" checkbox does not retain its setting when the "Save" button is clicked for a distribution list. After the page posts back, it always reverts back to unchecked. I confirmed the behavior is consistent across the major browsers. Any chance to add that fix to the next release?

Thanks again for all of the tremendous effort!

User avatar
coax
Normal user
Normal user
Posts: 36
Joined: 2016-12-22 16:35
Location: Croatia
Contact:

Re: hMailServer web-interface redesign

Postby coax » 2017-08-10 20:36

jwbowers wrote:I've been using this for the past several months in total bliss. A few days ago, I was away from home and needed to create a distribution list. Although I could create the list, I couldn't enable it or add members to it. Now that I'm back home, I spent some time looking into the matter. I was still using version 0.9.8, and I see that version 1.2 includes the new functionality to edit/manage distribution list members. I installed and configured it, and it works just fine. Great!

However, I noticed that the "Enabled" checkbox does not retain its setting when the "Save" button is clicked for a distribution list. After the page posts back, it always reverts back to unchecked. I confirmed the behavior is consistent across the major browsers. Any chance to add that fix to the next release?


Thanks for feedback, there's been numerous changes by @tunis and me for next release, and this will be implemented as well.

User avatar
RvdH
Senior user
Senior user
Posts: 457
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer web-interface redesign

Postby RvdH » 2017-08-28 11:33

tunis wrote:For you that has added dmarc record for your domain I have make a dmarc report page.
It's download the reports from a imap account and then delete all mail (use a dedicated account for this reports). Reports are save to a directory and the phrased to a report.

To get all dmarc reports from receivers that use dmarc for test, add fo=1 in your dmarc record.

Copy file to root and edit hm_dmarcreports.php


@tunis, how to get this to work?

I made a dedicated account reports@... and added user credentials in hm_dmarcreports.php, I know for sure reports have been delivered but that status page in the Webadmin always reads:

DMARC REPORTS
0 new reports added.


Do i have to manually create .dmarcreports folder? Where should this be placed?
The mailbox is completely empty...so the deletion part seems to work :)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

tunis
Normal user
Normal user
Posts: 141
Joined: 2015-01-05 20:22
Location: Sweden

Re: hMailServer web-interface redesign

Postby tunis » 2017-08-28 20:17

RvdH wrote:@tunis, how to get this to work?

I made a dedicated account reports@... and added user credentials in hm_dmarcreports.php, I know for sure reports have been delivered but that status page in the Webadmin always reads:


RvdH wrote:
DMARC REPORTS
0 new reports added.


Do i have to manually create .dmarcreports folder? Where should this be placed?
The mailbox is completely empty...so the deletion part seems to work :)


I have updated the code and fixed the 0 new reports added fault.

You must make the folder "dmarcreports" and make it writable for php.
Attachments
dmarcreports.zip
(4.86 KiB) Downloaded 8 times
HMS 5.6.6 B2383.7 on Windows Server 2016 Core VM.
HMS 5.6.7 B2407.9 on Windows Server 2012 R2 Core VM.

User avatar
RvdH
Senior user
Senior user
Posts: 457
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer web-interface redesign

Postby RvdH » 2017-08-29 08:18

Thx, i will give it another go
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 457
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer web-interface redesign

Postby RvdH » 2017-08-29 12:07

It seems to work OK now, thx for the fix :!:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup


Return to “Development & alpha discussions”



Who is online

Users browsing this forum: No registered users and 3 guests