EFA Message Viewer

Questions and answers about how to do stuff
Post Reply
rvwaveren
Posts: 7
Joined: 01 Jun 2016 13:29

EFA Message Viewer

Post by rvwaveren » 11 Oct 2017 12:18

Hello everyone,

I have a question about the Message Viewer in the MailWatch interface, is it possible to disable the Message Viewer function for a specific user / entirely? If so where can I find this. I have looked all over but can't seem to find a setting for this in the config files. The only thing I have found so far is how to disable this for items specifically in the Quarantined section.

Thanks in advance.

Rory.

User avatar
pdwalker
Posts: 875
Joined: 18 Mar 2015 09:16

Re: EFA Message Viewer

Post by pdwalker » 12 Oct 2017 09:40

Why are you trying to do this? Perhaps that explanation will give us a better idea of what you really need.

Normally, users will only be able to see their own mail, so if it is their mail, who cares if they can see it in the message viewer or not.

What is the problem you are really trying to solve?

rvwaveren
Posts: 7
Joined: 01 Jun 2016 13:29

Re: EFA Message Viewer

Post by rvwaveren » 12 Oct 2017 10:24

Sure no problem.

We use EFA as a spamfilter for a large amount of different domains. Me and several of my co-workers use the same "Administrator" account to release / ham / spam e-mails etcetera. There has recently been a security breach of sorts, where someone was reading the contents of an e-mail intended for a customer. I would like to prevent this from happening again without having to restrict access. In short, I would like to disable the Message Viewer entirely if possible.

If this isn't possible, that's no problem at all. I will just have to restrict access to this account.

User avatar
pdwalker
Posts: 875
Joined: 18 Mar 2015 09:16

Re: EFA Message Viewer

Post by pdwalker » 12 Oct 2017 17:44

Yeah, that's what I thought was the problem.

In sort, there is no direct way, as far as I know. If someone can log into the mailscanner ui and get access to the messages, then they will have access to the message viewer.

I think what it'll need is a change to the php code to wrap it in a security check, something like:

Code: Select all

if user is "privileged" 
then allow the message to be displayed in the message viewer.  
else nothing
We'd need to submit it to the mailscanner project as a feature request.

User avatar
pdwalker
Posts: 875
Joined: 18 Mar 2015 09:16

Re: EFA Message Viewer

Post by pdwalker » 12 Oct 2017 18:07

further thoughts:

in /var/www/html/mailscanner/detail.php at around line 527 (efa 3.0.2.3, your line may be different) there is the following code:

Code: Select all

if (
    (
        $item['dangerous'] === 'N' ||
        $_SESSION['user_type'] === 'A' ||
        (defined('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS') && true === DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS && $_SESSION['user_type'] === 'D' && $item['dangerous'] === 'Y')
    ) && preg_match('!message/rfc822!', $item['type'])
) {
    echo '  <td><a href="viewmail.php?token=' . $_SESSION['token'] .'&amp;id=' . $item['msgid'] . '">' .
        substr($item['path'], strlen($quarantinedir) + 1) .
        '</a></td>' . "\n";
} else {
    echo '  <td>' . substr($item['path'], strlen($quarantinedir) + 1) . "</td>\n";
}
Change the first line from this:

Code: Select all

            if (
to this:

Code: Select all

            if ( false &&
and that will disable the link to the message viewer for everyone.

Next in viewmail.php, add this to line 2

Code: Select all

die();
These two changes are a poor man's security fix to prevent administrators from peeking into customers messages. This actually will prevent anyone from peeking at messages and may be more annoying then good.

This does not prevent anyone with ssh access to accessing the messages directly, or changing the code themselves to give themselves access.

You'll lose these changes on updates.

rvwaveren
Posts: 7
Joined: 01 Jun 2016 13:29

Re: EFA Message Viewer

Post by rvwaveren » 20 Oct 2017 14:09

Thanks alot for the response PDwalker, I will try to look into this as soon as possible.

Post Reply