I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have:
- Enabled and configured selinux on that machine,
- Enabled mail-crypt plugin with user keys in dovecot.
This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server.
Am I right? :)
Am Freitag, dem 08.09.2023 um 06:50 +0800 schrieb jeremy ardley via dovecot:
On 8/9/23 05:00, joe a wrote:
Any known issues with installing/running roundcube and dovecot on the same server?
There is a generic issue with doing this. That is if you have roundcube (or any other web mail interface) on the same server as dovecot, a breach of the web interface could be quite serious and allow access to the complete mail store.
A better configuration is to run the web mail interface on an isolated server and get it to communicate using TLS imap with a remote dovecot service.
For economy, you could do this on the same machine using a small virtual server to run roundcube
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
Robert Senger