Preventing PHP to enter imap directory

M

marcel

Verified User
Joined
May 13, 2005
Messages
25
I have a CENTOS server running directadmin. The folder '/home/[account]/imap' and subfolders of this folder contain all email from the emailaccounts associated with this user. If i now run the following PHP code on one of the websites:

die(json_encode(scandir("/home/[account]/imap")));

I get the full email content of these mailboxes, which means php can just access all of the imap email. Because of this, it could only take a single malicious wordpress plugin or composer package to have all my emails leaked!
I would like to prevent php running on the server from accessing these folders. When i search google about this issue, nothing relevant comes up. This worries me. Does this mean that everyone has this 'problem'? Or is my directadmin/server just misconfigured?

Is there some setting in PHP, DirectAdmin or the server that i overlooked?

I have also thought about splitting the MAILserver from the WEBserver over 2 accounts for extra security. Could not find any information on this either?

Best regards and best wishes for 2023!
 
Last edited:
If you worry about IMAP folders being accessed from outside a mail server, then you might consider using a key-based encryption in Dovecot. Otherwise your emails can be read via FTP, directadmin interface, a Perl, PHP, bash script added into cron. And open_basedir restriction won't protect you.
 
Both thank you for your answer..! Indeed it looked like open_basedir could solve the issue, however in case of Perl or other we would indeed have the same issue... Therefor I would like to extend my request; I would like to make 2 users on the server. one user (user1) hosting the webdomain www.domain.com and one user (user2) hosting the mail domain; mail.domain.com This should probably solve the issue (also), but I could not find any information on this (either). Would this solve the issue and how many users are using the encryption? Would that (the encryption) be a better option and more easy to install/maintain?
 
marcel said:
how many users are using the encryption?
Click to expand...

In the world?

marcel said:
Would that (the encryption) be a better option and more easy to install/maintain?
Click to expand...

Depends on your business model, hosting organization, security requirements, etc.

Directadmin won't allow to have the same domain under two user accounts. But one can simulate it by using a customization, or even customize the services to store Maildir under a separate partition. It all depends on how much hours or money you want to invest into the setup.
 
In the world?
Click to expand...

actually yes... In percentage? I mean, is this a commonly used option?

Depends on your business model, hosting organization, security requirements, etc.
Click to expand...

for our own firm, no other users on the server

Directadmin won't allow to have the same domain under two user accounts. But one can simulate it by using a customization, or even customize the services to store Maildir under a separate partition. It all depends on how much hours or money you want to invest into the setup.
Click to expand...

thanks for explaining. customisation is not the way to go for us... Probably only leaves us with the encryption option. Will dive into that for now... -- But still is strange that every wordpress plugin you would have, would be able to just copy your whole email to an external party..?!
 
marcel said:
actually yes... In percentage? I mean, is this a commonly used option?
Click to expand...

DirectAdmin does not offer it, so it is not frequently requested by DirectAdmin users/admins, I guess.
You might check documentation here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/

But moving emails to an external partition is already in a wish list of of DirectAdmin users/admins.

marcel said:
But still is strange that every wordpress plugin you would have, would be able to just copy your whole email to an external party..?!
Click to expand...

I use default WordPress installations for learning only purposes. I don't use it for my sites.
 
You must log in or register to reply here.
Back
Top