New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I too give up. @willie its actually the first time I see such requirements that have no logic.
Of course the admin has further access. Of course he should be able to reset passwords. Of course that is not possible to allow [email protected] and [email protected] to have different cPanel accounts. Gsuite doesnt allow it either, obviously, you dont want random people to signup using your domain.
I think that you arent suggesting practical implementations. You are describing your ideal practical solution. That being said, you should host your email and prevent yourself from reading mail logs. You need a custom solution.
How can you say it's impractical when all those other hosts implement it in practice and it works perfectly well? That Fastmail includes an option to turn it on and off on a per-mailbox basis because they see that sometimes you want it one way and sometimes the other? This is not quantum theory.
I can't find anything in the gsuite docs saying admins can read other people's mailboxes, other than by resetting the password. Do you have a link? None of the admin privilege levels (see them here under "user management rights") include it. See also this reddit thread or this spiceworks one where people explicitly say it's not possible, unless you set up special tools that appear to intercept the mail using processing hooks.
That further access at most places doesn't appear to include being able to access user mailboxes without at least being able to turn off the ability.
Sure, that's fine, as long as he can't find out the old passwords or restore them after the reset. That means the user definitely gets a service interruption and knows the admin has been doing stuff with the account. We're mostly trying to just prevent sneak-peeking.
I didn't think so either, but Sureiam and yourself both insisted (Sureiam rather vehemently) that the problem could be solved (all users on same domain is part of the requirement and a reasonable one) by enrolling separate mxroute accounts per user. So I wanted to make sure I hadn't overlooked some way to do that.
I'm just surprised that I'm meeting so much confusion over this issue. We all deal with things that are actually complicated and take effort to understand. But I thought this particular thing was at the 2+2=4 level.
I highly doubt any other host lets the admin disconnect from administrative ability to honestly claim "I can't access your email" to their sub users, but I'll take your word for it. I suspect it's merely lack of creative thinking of how to use the functions, or tunnel vision about one specific method. Regardless, I have to balance the needs of many so I appreciate the request but humbly disagree that it's a security issue in light of the other features that I offer, or that any of the other features offered are inappropriate.
We haven't found a single one yet that doesn't have that ability. I can understand if it's a low priority for mxroute though. I'm the only user who has been asking about it and even I don't need it that much, so no sweat. If you get to be a big provider, maybe you'll have occasion to revisit the issue, maybe not.
Suck My Tentacle Penis?
Amateur. Everyone knows that for legal reasons and to prevent mosaic censorship, they are tentacles that spit harmless liquid, and they are absolutely, definitely not penis substitutes.
GSuite? As I said you can reset the password so you can access it. Zoho, Yandex, Rackspace... It seems to me that fastmail is the only provider that doesnt allow the admin to reset the password.
Actually not even Fastmail:
https://www.fastmail.com/help/account/users.html
"Password: You can reset a user's password: we generate a new random password for the user, or you can set your own. You then need to advise the user of their new password. Administrators are also able to disable two-step verification if the user has lost their authentication device."
And:" Privacy: All user data is visible to all admins on the account by default. Marking a user private stops admins from accessing that user's data. The only way to re-enable admin access is if the user restores it (which they can do from the Password & Security screen)."
It doesnt mean the admin user cant reset the password and login.
Tested fastmail and it definitely meets a reasonable criteria for the mentioned use case. I don't like it, seems like a good way to give people a way of opting into increased support requests, which breaks the low cost model. They charge enough to be worth that, but intentionally not charging like that was actually my vision, not just something I did to get sales. Often the case when comparing mxroute to other services, the strong self service model is pretty key. That's why I don't try to be like the others, I set out to be different. Definitely interesting though.
His point on that, @MikePT, was that you can't reasonably reset someone's password without them realizing at least something is up. Not unless you can set it back, which you can't do if you don't know it.
Though, admittedly, just blaming the provider isn't that hard :P
And of course, if you control the domain DNS and are willing to disrupt the service enough, you can just change the MX record to another server and get all the incoming mail after the switchover. So yes I'm mostly only worried about undetected snooping.
Another real-life case: there was a huge ruckus about Wikileaks getting emails from the Hillary Clinton campaign in 2016, that have been blamed on Russian hackers, leaks from campaign higher-ups, and even a theory that Seth Rich was the leaker and got assassinated for it. FBI drama related to the leak is still playing out in the newspapers even today. If the campaign's lowly IT staffer had access to the email, he or she would also have been a big suspect/scapegoat and maybe an assassination target too. So if I were that staffer, I wouldn't want access.
Anyway, yeah, this is an uncommon use case for you right now, so no prob. Once you're making millions of dollars maybe more people will ask for it.
In my opinion mxroute service will improve lot if we could have the following 2 features:
a) Disable/Hide the "Access Webmail" cPanel link/feature so that Admin cannot login the clients accounts.
b) If Admin has to login a client account, he must be forced to reset the client password and create a new one never used before.
Please take in attention that @jarland was always very upfront about the service and we all know it works with cPanel as control panel. That is fine, because never @jarland made false promisses about the service provided.
We don't have to think a lot about the advantages of having a "trustless" service. Just look at the success of blockchain (bitcoin)! It's main feature is to be a system where we don't have to trust a 3rd party.
So in case I'm seling mxroute (or any other email provider/service) service to my clients I should be able to say, that the only way I can access it's email box is by resetting their password.
My clients trust me, and that is the reason they are my clients. But I never want to be in a position where I can be suspect of "sneak peek" in case client email been access by other person.
Also I had the previous personal experience with a specific client that had his email hacked and I had to go to court as a witness, not because the client did not trust me, but because the police forced everyone with access to that specific email account to testify.
My comment is to be taken just as a suggestion for the future of mxroute and all other mail providers. I'm sure that the email providers that will gain more market share in a near future will be the ones that have a high level of security.
I speak for myself that almost every week I have a different client asking me email with 2FA, Yubikeys, login history tracking, etc.. So to all email providers I hope you during 2018 dedicate a big part of your time, thinking on new ways to improve email security.
That only obscures the access slightly, unless the server endpoint is also turned off. The latter would require modifying the code and re-installing the modification on each new version, as Jarland or MikePT mentioned further up, i.e. basically impractical. The next obvious idea is suggest the change to the Cpanel company, but I've always heard them described as unresponsive.
Thank you for the feedback. I definitely understand your concerns. While the admin account can reset passwords, he wont be able to set the same password so the target knows something happened. As we do not provide file manager at all, the admin cannot read the maildir either. I will be working on a solution for this tonight, to basically completely disable the webmail login function as an admin.
@nqservices, @willie:
https://i.gyazo.com/94d85590960771866199675b7abe3513.mp4
The function to authenticate is no longer present. There's still a way to access it, but that would be pretty advanced (not tested, but would be very complicated to). This way I edited the template and removed the auth token, the hidden form submitting it and I'd say it's secure enough.
As we do not provide File Manager access, the admin doesn't have access to your email.
This has been implemented in London server, I'll need to discuss with Jarland if he wants me to implement this in all our servers.
How has this swung from @Jarland not wanting this due to the extra admin work it might bring to @MikePT implementing it on production?
I've always been a DevOps guy, you know, like you are, not with Azure but with AWS. Recently I started to learn a bit more about Dev... And knowing cPanel very well (am actually one of their beta testers), I decided to took the chance and see what we could do.
Granted that this is Jarland's decision if we really apply this or not. Right now it's implemented in the London server.
I’m really not a DevOps guy. I spend much of my time making sure the DevOps guys can’t break the systems or circumvent CM procedures, because that’s what they think DevOps means.
That aside, given the path the thread has taken, I’m utterly bemused as to why you did this.
I was able to remove WebMail Login from the menu as well, without even editing the template.
The change I done could be bypassed by accessing the template directly, though that has been changed to: https://i.gyazo.com/94d85590960771866199675b7abe3513.mp4
This was simply removed, and the Admin isn't able to login to other's Webmail, unless he goes the advanced API way... But I'm pretty sure there's not a call to login to the webmail.
Only the London server has it.
In my point of view, it's a reasonable request, I mean, the account owner can still change the password and access your email, but you'd notice.
This is, IMHO, a design flaw here, they say that such feature is meant to be there because the admin can still read the maildir. Not in our case, as we disabled File Manager completely.
So for now, I just shown that I actually got this working properly. This is, however, @Jarland decision if we rollback the change in this server, or if we apply this to all our servers.
Do you have a dev server to try the stuff on, rather than doing it straight onto prod?
Autonomy + accountability is a good combo for product improvement.
As for the change, I have no problem with it if it doesn't generate support tickets complaining about it. If it does, I'd roll it back. Simple reason being backup and archiving still exist and are features I'm definitely keeping, so this is more about "you have to want it a little more to do it now" than "you can't do it."
I'm also aware of another way my customers can reset their mail passwords and then set them back to what they were, without knowing what they were. In light of the other features it's again something I consider within the scope of admin privileges, though it does use an unintended process and I won't say what it is (though I do know how to kill it, it dies soon anyway through the next product iteration).
Not really. Truth is it's easy to test in production on cPanel without impacting customers in a lot of ways. In other ways, staging never meets the kind of testing that production users give it. Testing in staging rarely saves you from a crisis in reality, though it theoretically should.
You lot are fucking nuts.
I was always a rebel. Remember mxroute was fully completed and set live in one night, while drunk on everclear, after thinking about it for months.
There’s never been any denying you have sizeable testes.
If this is only in the customizeable template part of cpanel, then I guess that avoids the problem of having to re-apply it as new cpanel versions come out, so nice work MikePT
. I agree that if you've done reasonable local testing, that's about as good as you can hope for with something like this. Just be ready to back it out if something goes wrong.
My comment was only a suggestion.. but since you made it so fast, I'm happy. Also it seems great on the video!
But please make sure you get some sleep and if you plan to increase mxroute security/privacy features think it in a calm way, test it, implement it, use it and them roll out to the general public.
Tests were obviously done, this particular form was removed, that was posting your internal token to authorize, as it was removed (we still have it if needed in the future).
@nqservices,
We're always willing to improve. This was all done in 5 minutes, it's not major science tbh.
It's up to @Jarland if he wants to implement it in all servers or not.
It's editing a simple html file, and remove the function there. No major science.
Kind of like when they put that icepick up your nose and came back with a tiny bit of brain matter on the end.