Hello everyone,
I have a question about the Message Viewer in the MailWatch interface, is it possible to disable the Message Viewer function for a specific user / entirely? If so where can I find this. I have looked all over but can't seem to find a setting for this in the config files. The only thing I have found so far is how to disable this for items specifically in the Quarantined section.
Thanks in advance.
Rory.
EFA Message Viewer
Re: EFA Message Viewer
Why are you trying to do this? Perhaps that explanation will give us a better idea of what you really need.
Normally, users will only be able to see their own mail, so if it is their mail, who cares if they can see it in the message viewer or not.
What is the problem you are really trying to solve?
Normally, users will only be able to see their own mail, so if it is their mail, who cares if they can see it in the message viewer or not.
What is the problem you are really trying to solve?
Re: EFA Message Viewer
Sure no problem.
We use EFA as a spamfilter for a large amount of different domains. Me and several of my co-workers use the same "Administrator" account to release / ham / spam e-mails etcetera. There has recently been a security breach of sorts, where someone was reading the contents of an e-mail intended for a customer. I would like to prevent this from happening again without having to restrict access. In short, I would like to disable the Message Viewer entirely if possible.
If this isn't possible, that's no problem at all. I will just have to restrict access to this account.
We use EFA as a spamfilter for a large amount of different domains. Me and several of my co-workers use the same "Administrator" account to release / ham / spam e-mails etcetera. There has recently been a security breach of sorts, where someone was reading the contents of an e-mail intended for a customer. I would like to prevent this from happening again without having to restrict access. In short, I would like to disable the Message Viewer entirely if possible.
If this isn't possible, that's no problem at all. I will just have to restrict access to this account.
Re: EFA Message Viewer
Yeah, that's what I thought was the problem.
In sort, there is no direct way, as far as I know. If someone can log into the mailscanner ui and get access to the messages, then they will have access to the message viewer.
I think what it'll need is a change to the php code to wrap it in a security check, something like:
We'd need to submit it to the mailscanner project as a feature request.
In sort, there is no direct way, as far as I know. If someone can log into the mailscanner ui and get access to the messages, then they will have access to the message viewer.
I think what it'll need is a change to the php code to wrap it in a security check, something like:
Code: Select all
if user is "privileged"
then allow the message to be displayed in the message viewer.
else nothing
Re: EFA Message Viewer
further thoughts:
in /var/www/html/mailscanner/detail.php at around line 527 (efa 3.0.2.3, your line may be different) there is the following code:
Change the first line from this:
to this:
and that will disable the link to the message viewer for everyone.
Next in viewmail.php, add this to line 2
These two changes are a poor man's security fix to prevent administrators from peeking into customers messages. This actually will prevent anyone from peeking at messages and may be more annoying then good.
This does not prevent anyone with ssh access to accessing the messages directly, or changing the code themselves to give themselves access.
You'll lose these changes on updates.
in /var/www/html/mailscanner/detail.php at around line 527 (efa 3.0.2.3, your line may be different) there is the following code:
Code: Select all
if (
(
$item['dangerous'] === 'N' ||
$_SESSION['user_type'] === 'A' ||
(defined('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS') && true === DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS && $_SESSION['user_type'] === 'D' && $item['dangerous'] === 'Y')
) && preg_match('!message/rfc822!', $item['type'])
) {
echo ' <td><a href="viewmail.php?token=' . $_SESSION['token'] .'&id=' . $item['msgid'] . '">' .
substr($item['path'], strlen($quarantinedir) + 1) .
'</a></td>' . "\n";
} else {
echo ' <td>' . substr($item['path'], strlen($quarantinedir) + 1) . "</td>\n";
}
Code: Select all
if (
Code: Select all
if ( false &&
Next in viewmail.php, add this to line 2
Code: Select all
die();
This does not prevent anyone with ssh access to accessing the messages directly, or changing the code themselves to give themselves access.
You'll lose these changes on updates.
Re: EFA Message Viewer
Thanks alot for the response PDwalker, I will try to look into this as soon as possible.
Re: EFA Message Viewer
In the current version of EFA as of this date, /var/www/html/mailscanner/detail.php
Change line 538 from to
Also change viewmail.php as described above.
This isn't foolproof, but it'll stop the honest people.
Code: Select all
536 // If the file is in message/rfc822 format and isn't dangerous - create a link to allow it to be viewed
537 // Domain admins can view the file only if enabled
538 if (
539 (
540 $item['dangerous'] === 'N' ||
541 $_SESSION['user_type'] === 'A' ||
542 (defined('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS') && true === DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS && $_SESSION['user_type'] === 'D' && $item['dangerous'] === 'Y')
543 ) && preg_match('!message/rfc822!', $item['type'])
544 ) {
545 echo ' <td><a href="viewmail.php?token=' . $_SESSION['token'] .'&id=' . $item['msgid'] . '">' .
546 substr($item['path'], strlen($quarantinedir) + 1) .
547 '</a></td>' . "\n";
548 } else {
549 echo ' <td>' . substr($item['path'], strlen($quarantinedir) + 1) . "</td>\n";
550 }
Code: Select all
if (
Code: Select all
if ( false &&
This isn't foolproof, but it'll stop the honest people.