Mail and Security - Thinking about user and groups

Mail and Security - Thinking about user and groups - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: General discussion (/forum-11.html)
+--- Thread: Mail and Security - Thinking about user and groups (/thread-10442.html)

Mail and Security - Thinking about user and groups - rethus - 04-18-2010 06:11 PM

I see, that all mail-accounts have the same user and group...: vmail:mail

I think this could be a security vulnerably ?! So if there is a little security-whole into the Webmailer-Application a User could be able to change only the domain-name and see other Mail-Accounts in his Webmailer.

What u tinken about this? Is it possible?

RE: Mail and Security - Thinking about user and groups - joximu - 04-19-2010 03:47 AM

The webmail system does not have access to the mail files. The IMAP server is in between...

So, if the IMAP server has a security hole then it might be possible to access others mailboxes - but this might also be the case if the users were real users and groups.

It seems that this way is often used to manage virtual mail users.

/J

RE: Mail and Security - Thinking about user and groups - Nuxwin - 04-19-2010 04:02 AM

(04-18-2010 06:11 PM)rethus Wrote: I see, that all mail-accounts have the same user and group...: vmail:mail

I think this could be a security vulnerably ?! So if there is a little security-whole into the Webmailer-Application a User could be able to change only the domain-name and see other Mail-Accounts in his Webmailer.

What u tinken about this? Is it possible?

Mdrrrr

RE: Mail and Security - Thinking about user and groups - aseques - 04-20-2010 08:27 PM

The webmail application just mimics a IMAP client. So the bug should be on the IMAP server (either courier or dovecot for some), these servers with a good configuration generally are quite strong in terms of security.
Also they are using vmail:vmail for the user:group so they can drop privileges and use vmail:vmail instead of a privileged user who could write as any user (and by doing this, they avoid the risk of being used to exploit the server)