Mail and Security - Thinking about user and groups

[rethus]

I see, that all mail-accounts have the same user and group...: vmail:mail

I think this could be a security vulnerably ?! So if there is a little security-whole into the Webmailer-Application a User could be able to change only the domain-name and see other Mail-Accounts in his Webmailer.

What u tinken about this? Is it possible?

[joximu]

The webmail system does not have access to the mail files. The IMAP server is in between...

So, if the IMAP server has a security hole then it might be possible to access others mailboxes - but this might also be the case if the users were real users and groups.

It seems that this way is often used to manage virtual mail users.

/J

[Nuxwin]

(04-18-2010 06:11 PM)rethus Wrote:  I see, that all mail-accounts have the same user and group...: vmail:mail

I think this could be a security vulnerably ?! So if there is a little security-whole into the Webmailer-Application a User could be able to change only the domain-name and see other Mail-Accounts in his Webmailer.

What u tinken about this? Is it possible?

Mdrrrr

[aseques]

The webmail application just mimics a IMAP client. So the bug should be on the IMAP server (either courier or dovecot for some), these servers with a good configuration generally are quite strong in terms of security.
Also they are using vmail:vmail for the user:group so they can drop privileges and use vmail:vmail instead of a privileged user who could write as any user (and by doing this, they avoid the risk of being used to exploit the server)