Current time: 11-16-2024, 10:29 AM Hello There, Guest! (LoginRegister)


Post Reply 
Mail and Security - Thinking about user and groups
Author Message
rethus Offline
Junior Member
*

Posts: 202
Joined: May 2009
Reputation: 3
Post: #1
Mail and Security - Thinking about user and groups
I see, that all mail-accounts have the same user and group...: vmail:mail

I think this could be a security vulnerably ?! So if there is a little security-whole into the Webmailer-Application a User could be able to change only the domain-name and see other Mail-Accounts in his Webmailer.

What u tinken about this? Is it possible?
04-18-2010 06:11 PM
Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #2
RE: Mail and Security - Thinking about user and groups
The webmail system does not have access to the mail files. The IMAP server is in between...

So, if the IMAP server has a security hole then it might be possible to access others mailboxes - but this might also be the case if the users were real users and groups.

It seems that this way is often used to manage virtual mail users.

/J
04-19-2010 03:47 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #3
RE: Mail and Security - Thinking about user and groups
(04-18-2010 06:11 PM)rethus Wrote:  I see, that all mail-accounts have the same user and group...: vmail:mail

I think this could be a security vulnerably ?! So if there is a little security-whole into the Webmailer-Application a User could be able to change only the domain-name and see other Mail-Accounts in his Webmailer.

What u tinken about this? Is it possible?

Mdrrrr Big Grin Big Grin Big Grin
04-19-2010 04:02 AM
Quote this message in a reply
aseques Offline
Member
*****
Dev Team

Posts: 330
Joined: May 2008
Reputation: 4
Post: #4
RE: Mail and Security - Thinking about user and groups
The webmail application just mimics a IMAP client. So the bug should be on the IMAP server (either courier or dovecot for some), these servers with a good configuration generally are quite strong in terms of security.
Also they are using vmail:vmail for the user:group so they can drop privileges and use vmail:vmail instead of a privileged user who could write as any user (and by doing this, they avoid the risk of being used to exploit the server)
04-20-2010 08:27 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)