Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling mailman

Discussion in 'Security' started by Spork Schivago, Nov 8, 2016.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hi,

    I posted in the security thread because I received a security audit and it showed that one of the problems they found with my server is that it's running mailman, again.

    I can't figure out how to prevent URLs like:
    example.com.com/mailman/listinfo/

    from returning valid mailman webpages. I have mailman disabled in WHM. It's not running. qrunner isn't running....I don't see why I can access the mailman pages if it's disabled and I'd like to figure out how to prevent these pages from showing up.

    I thought I asked this before and received an answer but I can't seem to find it now. Any thoughts? Thanks.
     
    #1 Spork Schivago, Nov 8, 2016
    Last edited by a moderator: Nov 9, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Spork Schivago,

    I've reproduced this behavior and confirmed that disabling Mailman via "WHM >> Tweak Settings" doesn't automatically remove the following entries from /etc/apache2/conf/httpd.conf on systems using EasyApache 4:

    Code:
    # grep mailman /usr/local/apache/conf/httpd.conf
        Alias /mailman/archives /usr/local/cpanel/3rdparty/mailman/archives/public/
        Alias /pipermail /usr/local/cpanel/3rdparty/mailman/archives/public/
        ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin/
    Internal case CPANEL-9722 is open to address this issue, and I'll update this thread with more information on the status of this case as it becomes available. In the meantime, you can create the following file as a temporary workaround:

    Code:
     /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess
    Within this file, add the following lines:

    Code:
    <Limit GET POST>
    order deny,allow
    deny from all
    </Limit>
    
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    Ensure to remove this file once a resolution is published.

    Thank you.
     
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thank you. Because I've only signed up for the free version of the scans on the security auditing website I use, I cannot scan my server at will. It gets scanned automatically once a week. I won't know if this actually fixes the problem or not until they scan me again.

    I remember this solution from before though. I'm certain I've asked this question on here and got the same answer, a while back. I just can't find it. I'm thinking maybe mailman got updated and my .htaccess file got removed. I even remember having to edit the .htaccess file to block the stuff.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    No updates on CPANEL-9722? I noticed the problem still exists. I'm using a ea4_main.local template so I just commented the mailman aliases stuff out in there and rebuilt the Apache2 config file.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    There's no update to report on the status of this case at this time. I'll continue to monitor the case and report back here once we've made some progress.

    Thank you.
     
    Spork Schivago likes this.
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page