Admin blog
From Space Science Theory Group
/etc/imapd.conf was modified to allow plaintext logins, though this is not recommended at all. The setting involved changing
allowplaintext: no
to
allowplaintext: yes
Since this is insecure, pop3 access was disabled to the external world. The configuration file for this is /etc/sysconfig/SuSEfirewall2.
FW_SERVICES_EXT_TCP="465 80 https imap imaps ldap ldaps pop3 pop3s smtp ssh"
to
FW_SERVICES_EXT_TCP="465 80 https imap imaps ldap ldaps pop3s smtp ssh"
and
FW_SERVICES_INT_TCP="80"
to
FW_SERVICES_INT_TCP="80 pop3 pop3s"
FW_SERVICES_INT_TCP might allow access from all of the domain sr.unh.edu, which is not needed.
Tfogal 19:50, 5 May 2006 (EDT)
Undid the above. Sending plaintext passwords is bad and rather than letting people get away with it, I'd prefer to have them complain and then configure their client correctly. auth plain/login is allowed over SSL/TLS, but not over an unencrypted connection. Disabling pop3 doesn't help the issue at all, because imap is still open and just as insecure. FW_SERVICE_INT_* doesn't do anything since we have no internal interface (artemis isn't a router in the first place).
Kai 00:10, 19 May 2006 (EDT)
Fixed the postfix configuration to allow relaying after authentication (it did support authentication before, but still wouldn't relay). Apparently, noone ever used artemis as outgoing SMTP server from outside of unh.edu, otherwise they would have noticed...
Kai 00:13, 19 May 2006 (EDT)
Wikis
All of the wiki access privileges didn't transfer over on the move to artemis. In particular, the Admin wiki has been anonymously readable / writable since the move. We have passwords stored on it, so hopefully it didn't make it into any web caches...
Anyway I've fixed the admin wiki at least. We're using a newer mediawiki and the old trick doesn't work. To make a wiki only accessible to users who are logged in, set the following in LocalSettings.php:
# don't allow new account creation.
$wgGroupPermissions['*']['createaccount'] = false;
# don't allow anonymous edits.
$wgGroupPermissions['*']['edit'] = false;
# don't allow anonymous reads
$wgGroupPermissions['*']['read'] = false;
# well... except for the main and login pages...
$wgWhitelistRead = array("Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css");
Tfogal 14:33, 25 May 2006 (EDT)
Removed an ad that got spammed onto the user wiki today. In hopes it would deter automated spambots, I disabled anonymous edits to the wiki by adding:
$wgGroupPermissions['*']['edit'] = false;
to LocalSettings.php. Anyone who wants to contribute should still be able to create a new account and edit with that (hopefully spambots aren't smart enough to do that yet).
Tfogal 17:07, 8 June 2006 (EDT)
