Mail question and concerns

[IanJ0208]

Hi all

To begin with, I am a little puzzled and I'm hoping some kind guru can advise. We are using the default webmail system on Plesk. I am told by support that the facility to change a password through webmail has been disabled, and that it is necessary for users to go in through Plesk to change passwords. I will return to that point later, but if, for example, a user has forgotten their password, how can they get it back or change it? The only way I can see is if the go to Plesk login and request password recovery. But if they can't get in to read their mail, how can they get their password?

I also have major concerns about letting users into Plesk, anyway. In my opinion, they should not be allowed to even see what has been set-up in there. A weak password would allow entry to anyone who could then set up mail groups (I assume, as that option seems available, though I haven't tried creating a group and mailing) and it wouldn't take them long to be using it as spam central.

As I said, support say that the only way to change a password in through Plesk as a security measure, but it seems an even bigger security hole to let users into a control panel area that can be abused. And if you've forgotten your password, how do you get in there in the first place? Yes, the user could contact me and ask me to reset it. But we have staff around the planet and I have no desire to get a phone call at 1am asking me to reset a password. And what if I happened to be away on holiday? They are stuck for a couple of weeks.

I do not doubt that I'm missing something here and I'm hoping that some kind soul will point it out.

Cheers

Ian

[James]

Hi Ian,

The password reset feature like hotmail or yahoo which you are looking for are not available with Plesk and Mailenable. If your user wants to change his current password then you can ask your user to login via https://ip:8443 they can use their email account and password to login to the email control panel only. They would only have access to their email account settings and nothing on the domain level.

But if the user has completely forgotten the password then in this case the domain administrator will have to reset the password. There is not any other alternative for this at the moment.

[IanJ0208]

Quote:

Originally Posted by James

Hi Ian,

The password reset feature like hotmail or yahoo which you are looking for

Hi James

Thanks for your reply.

Not just Hotmail or Yahoo, the same as *any* application, website or system that I worked on in the last 30+ years. And there is sound reasoning behind it.

If I, as admin, set an easy password, then the system is insecure. If I set a difficult one, then the chances are that the user is going to write it down, and that is almost as insecure. And if they lose the piece of paper? They are locked out of the system (in our case, unable to work) until it can be reset for them. If, in our case, I'm on holiday.....?

The user has to be allowed to set a secure password that is memorable to *them*. Systems are for the users, not the systems. Users are not supposed to jump through the hoops and restrictions imposed by systems and admins.

Quote:

are not available with Plesk and Mailenable.

They are according to the Help pages.

According to your support staff the facility has been specifically turned off. That, IMHO, is even more insecure than letting users choose their own password. Users now have easy passwords and anyone can get in with a simple dictionary attack.

Quote:

If your user wants to change his current password then you can ask your user to login via https://ip:8443 they can use their email account and password to login to the email control panel only. They would only have access to their email account settings and nothing on the domain level.

I know, that's what Support told me. So what if someone breaks in and creates a mailing group and then uses it to spam from?

Also, in our case, my MD wants to monitor all incoming staff mail, so he can supervise things. He would also like a copy of outgoing mail, but that isn't possible with your systems. But it means that any user with access to Plesk can see what is going on. My MD pays for our system and he will do what he wants in there and it should not be possible for staff to view or change that.

It also means that anyone who broke in could see who our customers were, etc, etc. Our customers are given temporary access to parts of our website. They are mailed the user name and password by the sales staff. Anyone who broke into the agent's mail could read that. We also have temporary staff - camera crew, voiceover people, etc - and they need to have limited access to our internal systems. Again, someone getting into a mail account could cause untold damage - all because a standard and (probably) well-designed system has been disabled.

Quote:

But if the user has completely forgotten the password then in this case the domain administrator will have to reset the password. There is not any other alternative for this at the moment.

And reset it with something that is equally insecure?

Is the password change function turned off because it is inherently insecure? I haven't been able to find anything about any other hosting service suffering having any problems with it.

Cheers

Ian

[Gerrad8]

Hello Ian,

let me understand this properly the functionality you are wanting for is to user to have the ability to reset the password via either the webmail interface or the plesk interface in case they forget the password IE they go in to the webmail link and then click on forgot password and then it should have a mechanism to reset the password ? or either they go to the plesk control panel and click on forgot password and key in a an answer and then have their password automatically reset without the intervention of a system admin ?


The Plesk Horde webmail feature to change passwords are disabled on recommendations from SWSOFT in our conversations with them about security. It does not have the mechanism like a yahoo or hotmail or exchange to challenge the password request. It does not ask you for a secret question while resetting the password. Only this feature is turned off. Please note this is your vps now and you have the option to enable it but at your own security risk.

Users would still be able to change their passwords if they logged in as James suggested in his reply. The login via plesk using their email credentials and they can reset their password.

If someone breaks in that would be the user who has a compromised password who creates mailing lists. Disable the mailing lists option from plesk for the domain if you are not going to use mailing lists.

The feature of monitoring the outbound SMTP as you require is not offered as a standard product in any mail server. You have a look at exchange one of the most expensive mailing solutions out there. They have recommended third party tools like GFI MailArchiver for what you are looking for in terms of mail monitoring.

Regards

[IanJ0208]

Quote:

Originally Posted by Gerrad8

Hello Ian,

let me understand this properly the functionality you are wanting for is to user to have the ability to reset the password via either the webmail interface or the plesk interface

No. For them to have the ability to change their mail password from their mail; *not* from the Plesk control panel. They should not even know that exists or that they can access it. They just need to change their password exactly as the Help system tells them to (I try and drum into my users that the Help is the *first* port of call, not the last ) and as they could do from their Smartermail, when we were using DNP.

[quote]
in case they forget the password IE they go in to the webmail link and then click on forgot password and then it should have a mechanism to reset the password ? or either they go to the plesk control panel and click on forgot password and key in a an answer and then have their password automatically reset without the intervention of a system admin ?
[/QUOTE}

Yes, but they are going to have to use (a) something that they are not supposed know exists (b) is quite daunting to non-tech users. Good HCI expects users to be treated as simple forms of life who know nothing about anything. Having to log in to a control panel is like going to another planet for a lot of them.

Quote:

The Plesk Horde webmail feature to change passwords are disabled on recommendations from SWSOFT in our conversations with them about security. It does not have the mechanism like a yahoo or hotmail or exchange to challenge the password request.

Ok, it doesn't challenge, but that, IMHO, is a lot better than them having weak passwords so they can remember them, or having to write them down somewhere.

Quote:

It does not ask you for a secret question while resetting the password. Only this feature is turned off. Please note this is your vps now and you have the option to enable it but at your own security risk.

No one said anything about that. I was told that it was not possible. We will take that risk. They all have a link to a password challenger and have been told to test first. That's better than us giving them xzy999 or whatever.

Quote:

Users would still be able to change their passwords if they logged in as James suggested in his reply. The login via plesk using their email credentials and they can reset their password.

Yes, and see and do quite a few other things, some of which management do not want them to see or do. It is also another level of complication for them. I'm told that one of the next steps planned for the company is for agents in Brazil. Plesk has Portuguese localization?

Quote:

If someone breaks in that would be the user who has a compromised password who creates mailing lists. Disable the mailing lists option from plesk for the domain if you are not going to use mailing lists.

I didn't say that we were not going to use them, I said we don't want someone hacking in and creating mailing lists. We shouldn't have to disable a facility just because it can be compromised by something else.

Quote:

The feature of monitoring the outbound SMTP as you require is not offered as a standard product in any mail server.

The company had it as a standard feature with their previous hosts (before my time) and were less-than-impressed when they didn't get it here. But the other hosts were Linux-based only so I guess their mail server was more configurable.

Quote:

You have a look at exchange one of the most expensive mailing solutions out there. They have recommended third party tools like GFI MailArchiver for what you are looking for in terms of mail monitoring.

Regards

Thanks for the tip, I'll check it out.

Did you want me to create a ticket for the change to enable password change and recovery as we understand the security risks?

Cheers

Ian

[Gerrad8]

[quote=IanJ0208;36487]No. For them to have the ability to change their mail password from their mail; *not* from the Plesk control panel. They should not even know that exists or that they can access it. They just need to change their password exactly as the Help system tells them to (I try and drum into my users that the Help is the *first* port of call, not the last ) and as they could do from their Smartermail, when we were using DNP.

Quote:

in case they forget the password IE they go in to the webmail link and then click on forgot password and then it should have a mechanism to reset the password ? or either they go to the plesk control panel and click on forgot password and key in a an answer and then have their password automatically reset without the intervention of a system admin ?
[/QUOTE}

Yes, but they are going to have to use (a) something that they are not supposed know exists (b) is quite daunting to non-tech users. Good HCI expects users to be treated as simple forms of life who know nothing about anything. Having to log in to a control panel is like going to another planet for a lot of them.



Ok, it doesn't challenge, but that, IMHO, is a lot better than them having weak passwords so they can remember them, or having to write them down somewhere.



No one said anything about that. I was told that it was not possible. We will take that risk. They all have a link to a password challenger and have been told to test first. That's better than us giving them xzy999 or whatever.



Yes, and see and do quite a few other things, some of which management do not want them to see or do. It is also another level of complication for them. I'm told that one of the next steps planned for the company is for agents in Brazil. Plesk has Portuguese localization?



I didn't say that we were not going to use them, I said we don't want someone hacking in and creating mailing lists. We shouldn't have to disable a facility just because it can be compromised by something else.



The company had it as a standard feature with their previous hosts (before my time) and were less-than-impressed when they didn't get it here. But the other hosts were Linux-based only so I guess their mail server was more configurable.



Thanks for the tip, I'll check it out.

Did you want me to create a ticket for the change to enable password change and recovery as we understand the security risks?

Cheers

Ian

Hello Ian,

Yes please generate a ticket and we will enable it for you at your own risk. Please also list your support requests for plesk localization setting in there.

Thanks

[Gerrad8]

Hello Ian,

As your users were already used to smartermail we can have that installed on the server and integrated in plesk. You can request for this in the ticket you are going to place for the webmail request

Thanks