Page 1 of 1

EFA Message Viewer

Posted: 11 Oct 2017 12:18
by rvwaveren
Hello everyone,

I have a question about the Message Viewer in the MailWatch interface, is it possible to disable the Message Viewer function for a specific user / entirely? If so where can I find this. I have looked all over but can't seem to find a setting for this in the config files. The only thing I have found so far is how to disable this for items specifically in the Quarantined section.

Thanks in advance.

Rory.

Re: EFA Message Viewer

Posted: 12 Oct 2017 09:40
by pdwalker
Why are you trying to do this? Perhaps that explanation will give us a better idea of what you really need.

Normally, users will only be able to see their own mail, so if it is their mail, who cares if they can see it in the message viewer or not.

What is the problem you are really trying to solve?

Re: EFA Message Viewer

Posted: 12 Oct 2017 10:24
by rvwaveren
Sure no problem.

We use EFA as a spamfilter for a large amount of different domains. Me and several of my co-workers use the same "Administrator" account to release / ham / spam e-mails etcetera. There has recently been a security breach of sorts, where someone was reading the contents of an e-mail intended for a customer. I would like to prevent this from happening again without having to restrict access. In short, I would like to disable the Message Viewer entirely if possible.

If this isn't possible, that's no problem at all. I will just have to restrict access to this account.

Re: EFA Message Viewer

Posted: 12 Oct 2017 17:44
by pdwalker
Yeah, that's what I thought was the problem.

In sort, there is no direct way, as far as I know. If someone can log into the mailscanner ui and get access to the messages, then they will have access to the message viewer.

I think what it'll need is a change to the php code to wrap it in a security check, something like:

Code: Select all

if user is "privileged" 
then allow the message to be displayed in the message viewer.  
else nothing
We'd need to submit it to the mailscanner project as a feature request.

Re: EFA Message Viewer

Posted: 12 Oct 2017 18:07
by pdwalker
further thoughts:

in /var/www/html/mailscanner/detail.php at around line 527 (efa 3.0.2.3, your line may be different) there is the following code:

Code: Select all

if (
    (
        $item['dangerous'] === 'N' ||
        $_SESSION['user_type'] === 'A' ||
        (defined('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS') && true === DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS && $_SESSION['user_type'] === 'D' && $item['dangerous'] === 'Y')
    ) && preg_match('!message/rfc822!', $item['type'])
) {
    echo '  <td><a href="viewmail.php?token=' . $_SESSION['token'] .'&amp;id=' . $item['msgid'] . '">' .
        substr($item['path'], strlen($quarantinedir) + 1) .
        '</a></td>' . "\n";
} else {
    echo '  <td>' . substr($item['path'], strlen($quarantinedir) + 1) . "</td>\n";
}
Change the first line from this:

Code: Select all

            if (
to this:

Code: Select all

            if ( false &&
and that will disable the link to the message viewer for everyone.

Next in viewmail.php, add this to line 2

Code: Select all

die();
These two changes are a poor man's security fix to prevent administrators from peeking into customers messages. This actually will prevent anyone from peeking at messages and may be more annoying then good.

This does not prevent anyone with ssh access to accessing the messages directly, or changing the code themselves to give themselves access.

You'll lose these changes on updates.

Re: EFA Message Viewer

Posted: 20 Oct 2017 14:09
by rvwaveren
Thanks alot for the response PDwalker, I will try to look into this as soon as possible.

Re: EFA Message Viewer

Posted: 29 Mar 2022 09:40
by pdwalker
In the current version of EFA as of this date, /var/www/html/mailscanner/detail.php

Code: Select all

536             // If the file is in message/rfc822 format and isn't dangerous - create a link to allow it to be viewed
537             // Domain admins can view the file only if enabled
538             if (
539                 (
540                     $item['dangerous'] === 'N' ||
541                     $_SESSION['user_type'] === 'A' ||
542                     (defined('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS') && true === DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS && $_SESSION['user_type'] === 'D' && $item['dangerous'] === 'Y')
543                 ) && preg_match('!message/rfc822!', $item['type'])
544             ) {
545                 echo '  <td><a href="viewmail.php?token=' . $_SESSION['token'] .'&amp;id=' . $item['msgid'] . '">' .
546                     substr($item['path'], strlen($quarantinedir) + 1) .
547                     '</a></td>' . "\n";
548             } else {
549                 echo '  <td>' . substr($item['path'], strlen($quarantinedir) + 1) . "</td>\n";
550             }
Change line 538 from

Code: Select all

if (
to

Code: Select all

if ( false &&
Also change viewmail.php as described above.

This isn't foolproof, but it'll stop the honest people.