Author |
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 03 October 2021 at 3:40pm | IP Logged
|
|
|
Hi, I'm thinking about installing AfterLogic, and got a bunch of questions, would you help?
1. does AfterLogic webmail Lite allow the same user account to login and access from multiple devices at the same time? That is, will a latter login kick out the previous login session of the same account?
2. this pages said it's not supported in 9 yet:
https://afterlogic.com/docs/webmail-lite/developers-guide/password-change-in-mail-server-database
our user accounts and passwords are stored in mysql database. Does that mean, to allow users to change password, we can only install version 8?
3. when will you stop supporting version 8?
4. for this CAPTCHA feature:
https://afterlogic.com/docs/webmail-lite/configuring-webmail/displaying-captcha-on-login-screen
after one user account user123 fails login for a few times, will you display that CAPTCHA for ALL users, or you only display CAPTCHA for user123, AFTER he enters his username?
I feel the latter would be more helpful, but just want to confirm.
Thank you so much!
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6104
|
Posted: 04 October 2021 at 12:03am | IP Logged
|
|
|
Quote:
1. does AfterLogic webmail Lite allow the same user account to login and access from multiple devices at the same time? That is, will a latter login kick out the previous login session of the same account? |
|
|
User sessions in different browsers and on different devices will not affect each other. You can log into / out of various accounts in different browsers just fine.
Quote:
our user accounts and passwords are stored in mysql database. Does that mean, to allow users to change password, we can only install version 8? |
|
|
By default, changing account passwords is not possible in WebMail Lite, as that's not something supported by standard email protocols.
We offer password change plugins for several software backends (cPanel, iRedMail, POPPASSD etc.); if your mail server has passwords stored in the database, you can use the module you've mentioned to implement password change logic. And indeed, that module wasn't ported to v9 yet.
Quote:
3. when will you stop supporting version 8? |
|
|
That depends on what kind of support you're speaking of, as WebMail Lite doesn't come with guaranteed free support from Afterlogic, it's a community product. And if you encounter any issues in a previous version, the first troubleshooting step is to check if the issue occurs in the latest version, we don't plan to make any changes/fixes in previous versions. But, at our discretion, we can still answer questions related to previous versions of the product.
Quote:
after one user account user123 fails login for a few times, will you display that CAPTCHA for ALL users, or you only display CAPTCHA for user123, AFTER he enters his username? |
|
|
CAPTCHA will be displayed in that particular browser on login form. Counter of failed login attempts uses browser cookies, and after a successful login, number of failed login attempts is reset back to zero.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 05 October 2021 at 6:21am | IP Logged
|
|
|
Thank you so much for the prompt clarifications!
Igor wrote:
Quote:
3. when will you stop supporting version 8? |
|
|
That depends on what kind of support you're speaking of |
|
|
I mean security patches. Suppose a vulnerability is found, do you expect for how many years down the road a hot fix will be provided to v8?
Or in other word, when do you think v9 will have password changing etc features ported?
Right now our problem is, looks like we are stuck with v8 due to these essential features, and not sure what will happen if a vulnerability is found.
Or maybe it's not hard for us to port password changing etc features to v9?
What other features are still missing in v9?
Igor wrote:
CAPTCHA will be displayed in that particular browser on login form. Counter of failed login attempts uses browser cookies |
|
|
Ok. This feature is against malicious hackers. And they may not use real browsers to manually enter passwords. Usually they run scripts to carry out such attacks. So they may not come back with the same cookie every time, especially after learning how your feature works. That means, this feature will be unable to slow down such hackers, right? I thought it would be more helpful to display the CAPTCHA AFTER username is entered as some platforms do, what do you think?
Thank you!
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6104
|
Posted: 05 October 2021 at 6:41am | IP Logged
|
|
|
Security patches are guaranteed for the latest version only. But we still have version 7 of WebMail Pro available and we have recently provided a security update for it.
Version 9 is very new and we're still in process of reviewing existing modules and modifying them where needed. Some of the modules, like ReCAPTCHA, didn't require any modifications at all - while in case of modules which use in-depth email API, changes may be needed, I don't know if that's the case with the particular module - and since we're speaking of an opensource product, we welcome pull requests to our repositories.
With regard to CAPTCHA, we believe this protection is, specifically, against those using web interface and a web browser. However, a while ago we've added a feature that blocks IP address after a number of failed login attempts, see EnableFailedLoginBlock option in data/settings/modules/Core.config.json file, two more options afterwards are related to this behavior as well, perhaps it would work as a better protection from the kind of attacks you've described. And since the authentication is essentially done at IMAP level, you may wish to consider protecting accounts against bruteforcing on mailserver side.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 06 October 2021 at 2:30pm | IP Logged
|
|
|
Thank you.
Igor wrote:
Security patches are guaranteed for the latest version only. But we still have version 7 of WebMail Pro available and we have recently provided a security update for it. |
|
|
I couldn't find on your website, can I know where is this recent security update for v7 announced? Is it only for Pro, or also for Lite?
As a user, how are we supposed to track your security updates?
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6104
|
Posted: 07 October 2021 at 1:41am | IP Logged
|
|
|
Quote:
I couldn't find on your website, can I know where is this recent security update for v7 announced? Is it only for Pro, or also for Lite? |
|
|
The feature affected is only available in the Pro version, so there was no update for Lite:
Addressing DAV-related vulnerability in WebMail and Aurora
Quote:
As a user, how are we supposed to track your security updates? |
|
|
You can follow our Twitter and Facebook feeds.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 07 October 2021 at 11:37pm | IP Logged
|
|
|
Thanks. But looks like it would be almost impossible to tell security updates from the above busy Twitter and Facebook feeds which are overwhelmingly about new features.
I can understand there are people who would be interested at new features. But for server admins, after installing your software, their crucial job is to clearly, promptly, get notified about any security patches, with minimal effort on his part, since he has to worry about tons of other risks. After all, if your software is hacked because there is no clear channel to communicate about vulnerabilities, it will hurt your reputation badly, right?
For this reason, usually important software packages have their own single-purpose channel to broadcast security vulnerabilities, be a mailing list, a webpage listing all vulnerabilities, even a single-purpose twitter feed for vulnerability only, etc.
And the Wordpress document is not linked or mentioned in your News page at all:
https://afterlogic.com/news
So in short, is there a clear channel to learn *ONLY* about security advisories, for, say WebMail Pro PHP, or any AfterLogic products?
Will this page announce ANY security advisories for WebMail 8 Lite? https://github.com/afterlogic/webmail-lite-8/security/advisories
I can't find the same page for WebMail Pro.
I hope you understand I'm not trying to accuse, as a potential user I just wish you as strong as possible. Thank you very much for the wonderful software!
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6104
|
Posted: 07 October 2021 at 11:46pm | IP Logged
|
|
|
There currently isn't a channel related exclusively to security updates, but it sounds like a good idea, we'll consider it and will discuss this internally. Thank you.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 08 October 2021 at 8:29am | IP Logged
|
|
|
Thanks. I understand the lack of this channel may be partially because your software only got infrequent vulnerabilities: https://www.cvedetails.com/vendor/6423/Afterlogic.html
Although there are similar software that does better and more worrisomely, the above page shows your software begins to incur vulnerabilities in faster pace in the last few years. Many software were driven by features and ended up with too many vulnerabilities to use. Looks like many of your clients are large installations that value stability, so hopefully you can do better in this regard.
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6104
|
Posted: 11 October 2021 at 3:07am | IP Logged
|
|
|
Quote:
2. this pages said it's not supported in 9 yet:
https://afterlogic.com/docs/webmail-lite/developers-guide/password-change-in-mail-server-database |
|
|
Have just confirmed that the module is compatible with v9. Thanks.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 17 October 2021 at 7:26am | IP Logged
|
|
|
Thanks so much for your kind help!
|
Back to Top |
|
|
paul2021 Newbie
Joined: 03 October 2021
Online Status: Offline Posts: 24
|
Posted: 17 October 2021 at 3:29pm | IP Logged
|
|
|
Sorry not sure if I should ask in a new thread, but do you have link to download each point releases, including the latest release and the past releases?
I only found this download link: https://afterlogic.org/download/webmail-lite-php , but looks like it's a snapshot of the latest files? Or it's actually the v9.1.1 release?
I'm interested in comparing your v9 to v8, but not sure if you still provide download link for v8. Thanks.
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6104
|
Posted: 17 October 2021 at 11:32pm | IP Logged
|
|
|
While we don't usually keep download links for older builds within current release, e.g. version 9.1.1 overwrites 9.1.0, we do keep webpages of the previous major versions, and you can get those at:
* v9 - https://afterlogic.org/webmail-lite
* v8 - https://afterlogic.org/webmail-lite-8
* v7 - https://afterlogic.org/webmail-lite-7
Hope this helps.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|