13 Sep
2023
13 Sep
'23
9:59 a.m.
I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have:
- Enabled and configured selinux on that machine,
- Enabled mail-crypt plugin with user keys in dovecot.
This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server.
That depends on your selinux rules. If you want to go a little further. Use podman/docker to run roundcube and run it as a seperate user and give the container bind low port capabilities. I think docker/podman support this. Just in case juse separate uids with containers.