Tag Archives: security

Cheap SSL Certificates

Posted on by 3 Comments ↓

I often see discussions about where to get reasonably priced SSL certificates, and so I’d like to share my source.

For some time I’ve been using a RapidSSL reseller called “RapidSSL Online

Unlike much of the competition, their prices start at $14.95USD/year, offering 128 / 256 bit single root SSL certificate.

I have no affiliation with them beyond being a satisfied customer, and I receive no compensation for this referral, I simply detest some of the larger players charging substantially more for what is ultimate the same thing.

Use received date instead of date header

Posted on by No Comments ↓

By default WorldClient uses the “Date” header of inbound mail rather then the time/date when the message was received. This is normally desired as it allows the receiver to see the order messages were sent, even if some mail was delayed in transit.

However, with spammers and other nefarious individuals being able to tamper with Date headers, this is not always desired and some even consider this a security issue in that it allows a sender to lie about when a message was sent.

There is a switch in WorldClient to tell WorldClient to use the timestamp when the message was retrieved, rather then relying on the date header, if you so desire:

In the WorldClient.ini file, [Special] section, look for the following key:

UseReceivedDate=No

If you set that to “Yes” then it will use the date your mailserver received the message rather then the Date header.  However, in the case of MultiPOP’d mail, it will actually list the date/time that MultiPOP retrieved the article, so it loses some effectiveness.

Note that if you change this switch, it will only apply to newly received messages.  Messages which have already been received will still use the “Date” header. Delete your “message.idx” files to cause WorldClient to rebuild it’s indexes.

Also note that this only applies to WorldClient, POP mail clients can do whatever they want, and IMAP exposes both dates to clients allowing clients to display either or both dates, depending on the client’s capabilities.

Setting ACLs on IMAP folders – Not just for administrators

Posted on by 2 Comments ↓

In my last post I discussed what IMAP ACLs are implemented by MDaemon, and a little about how they work. In this post I want to make everyone aware of the ways that ACLs can be managed.

ACLs can be changed a number of different ways, not only by administrators using the MDaemon interface. ACLs can be changed using any of the following methods:

  • The MDaemon GUI, under public folders or from within the user editor.
  • The WebAdmin GUI, in similar locations.
  • WorldClient allows users to share folders and set permissions.
  • Outlook Connector allows users to share folders and set permissions.
  • Any IMAP client can be used to set permissions.
  • You can even change ACLs by using “telnet” to connect to the IMAP server.

This is significant as it allows any user to share their own IMAP folders out to other users. Note that only users who have the “administer” ACL or are a WebAdmin domain admin or global administrator can change ACLs.

To understand how to change rights, I have lifted the following information from RFC2086 – IMAP4 ACL extension

To set ACLs, use the SETACL command:

4.1. SETACL

Arguments: mailbox name
authentication identifier
access right modification

Data: no specific data for this command

Result: OK – setacl completed
NO – setacl failure: can’t set acl
BAD – command unknown or arguments invalid

The SETACL command changes the access control list on the specified mailbox so that the specified identifier is granted permissions as specified in the third argument.

The third argument is a string containing an optional plus (“+”) or minus (“-“) prefix, followed by zero or more rights characters. If the string starts with a plus, the following rights are added to any existing rights for the identifier. If the string starts with a minus, the following rights are removed from any existing rights for the identifier. If the string does not start with a plus or minus, the rights replace any existing rights for the identifier.

To retrieve ACLs on existing folders, use GETACL:

4.3. GETACL

Arguments: mailbox name

Data: untagged responses: ACL

Result: OK – getacl completed
NO – getacl failure: can’t get acl
BAD – command unknown or arguments invalid

The GETACL command returns the access control list for mailbox in an untagged ACL reply.

Example: C: A002 GETACL INBOX
S: * ACL INBOX Fred rwipslda
S: A002 OK Getacl complete

For more information and a few additional commands, please do read RFC2086 – IMAP4 ACL extension