Any one tried to implement iredmail with mod security? My English is also not so good, I hope you understand my reasons. Thanks for your help in advance.
I have installed iredmail + web presentation on nginx but i have problem with modsec rules. I used apache2 + mod sec before. I implemented custom rules like rbl or drop .php or .env request, for example. You can find my examples below, wich i used by apache2. Rbl rule
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:171,t:none,pass,log,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.an>
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
.php rule
SecRule REQUEST_LINE "@contains .php" "phase:1,id:150,drop,status:444,log,t:none,t:urlDecode,t:lowercase,t:normalizePath,msg:'Request contains .php file'"
.env rule
SecRule REQUEST_LINE "@contains .env" "phase:1,id:155,drop,status:444,log,t:none,t:urlDecode,t:lowercase,t:normalizePath,msg:'Request contains .env file'"
It is worked very good on apache, spamers kiss ..... :) but it is drop incorrectly on iredmail with nginx.
Rbl not drop at all. I tried RBL from projecthonejpot but it is the same. For example, if i try www.example.com/index.php so it dropping good but some request from spammers kill me. I don't know, from which it come but the request was killed on apache.
Below is access.log.
184.168.103.230 - - [08/Feb/2022:17:33:28 +0100] "GET /wp-login.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
184.168.103.230 - - [08/Feb/2022:17:33:31 +0100] "GET /wp-login.php HTTP/1.1" 404 47 "http://example.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Below is error.log
2022/02/08 17:33:31 [error] 1036473#1036473: *232 FastCGI sent in stderr: "Primary script unknown" while reading response header
from upstream, client: 184.168.103.230, server: domain.com, request: "GET /wp-login.php HTTP/1.1", upstream:
"fastcgi://127.0.0.1:9999", host: "example.com", referrer: "http://example.com/wp-login.php"
Mod sec do not drop it by rule .php but if it was dropped the error log looks like below.
2022/02/08 18:28:29 [error] 1036473#1036473: *238 [client 173.212.214.140] ModSecurity: Access denied with code 444 (phase 1).
Matched "Operator `Contains' with parameter `.php' against variable `REQUEST_LINE' (Value: `GET /wp-login.php HTTP/1.1' )
[file "/etc/nginx/modsecurity/modsecurity.conf"] [line "279"] [id "150"] [rev ""] [msg "Request contains .php file"] [data ""]
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "xxxx"] [uri "/wp-login.php"] [unique_id "1644341309"]
[ref "o13,4v0,26t:urlDecode,t:lowercase,t:normalizePath"], client: 173.212.214.140, server: example.com, request: "GET /wp-login.php HTTP/1.1",
host: "example.com", referrer: "http://example.com/wp-login.php"
On this situation, it was some time dropped but some times not. For example it was dropped all time on apache. Below is my nginx config. 00-default.conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen server ip:80 default_server;
listen [server ip6::1]:80 default_server;
server_name _;
return 444;
}
server {
# Listen on ipv4
listen server ip:80;
listen [server ip::6]:80;
server_name mail.example.com;
root /var/www/html;
index index.html robots.txt;
# Redirect all insecure http:// requests to https://
return 301 https://$host$request_uri;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
location / {
try_files $uri $uri/ =404;
}
#Remove Unwanted HTTP Methods
if ($request_method !~ ^(GET|POST)$) {
return 444;
}
}
00-default-ssl.conf:
server {
listen 443 default_server;
listen [::]:443 default_server;
listen 1server ip:443 default_server;
listen [server ip::6]:443 default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot
return 444;
}
server {
listen server ip:443 ssl http2;
listen [server ip::6]:443 ssl http2;
server_name mail.example.com;
root /var/www/html;
index index.php index.html;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
#Remove Unwanted HTTP Methods
if ($request_method !~ ^(GET|POST)$) {
return 444;
}
location / {
try_files $uri $uri/ =404;
}
}
mydomaine.conf:
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
return 444;
}
}
server {
listen server ip:443 ssl http2;
listen [server ip::6]:443 ssl http2;
root /var/www/html/example.com;
index index.html robots.txt;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404/index.html;
}
Maybe i do not understand iredmail conception, im not a redmail admin. Iredmail is good solutions but some time it use not profi :) as a result it is not drop request from spamers.
Thanks for your helps.
