Web admin can read everybody's email!

[enqaiq]

Hi all;

I've recently set up a website with CPanel hosting here on WebHosting UK. I was very surprised to discover that the default email account has in its inbox a sub-folder for each other user, containing all their email. This means that the web admin (usually me, but not necessarily) can read all of the company's email, without requiring their passwords or authentication.

I've been in touch with support, who tell me this can't be changed.

Is it just me, or does anybody else think this is strange?
Michael.

[optrex]

I am an email admin on exchange systems and we can track and read user email as and when required for the legal purposes of the company.

[Dan]

Indeed, It's not strange it's so the account holder can control who sends what and reads what is incoming.

You can always disable this from Unsubscribing

Squirrelmail >> Folders >> Unsubscribe

[enqaiq]

Thanks for the replies.

I understand the necessity to be able to access somebody's email for legal reasons or if they get hit by the proverbial bus, I was just surprised that the website admin is able to do this without further authorisation or passwords.

Dan, thanks for the tip on unsubscribing. I hadn't heard of this from support. I'll try it out!

Michael.

[j03]

Quote:

Originally Posted by enqaiq

Thanks for the replies.

I understand the necessity to be able to access somebody's email for legal reasons or if they get hit by the proverbial bus, I was just surprised that the website admin is able to do this without further authorisation or passwords.

Dan, thanks for the tip on unsubscribing. I hadn't heard of this from support. I'll try it out!

Michael.

Well, I supose there are two sides to it. One side says "Well, What's the point of one main account, if you need other passwords to access things", but the other says "Well, Isn't it a breach of privacy, if MR. Admin can read all of out mail?".

I'm yet to decide which side to take - I think it's somwhere in the middle!

Could The webhosting.uk.com staff read OUR email?

[optrex]

I would hope they could. Being a mail admin is a postion of trust. For legal reasons they may be asked to look into a mail, but it doesn't mean they do it every day of the week just because they can.

[Dan]

It's just the same as changing somebodys password, just without actually changing it

[enqaiq]

Quote:

I would hope they could. Being a mail admin is a postion of trust.

I agree.

However, my problem with the WHUK setup is that (as far as I can tell) there's no distinction between the mail admin and the website admin, and no way to have different passwords for these two different roles.

IMHO, the mail admin should be somebody senior within a company, maybe even the CEO, whereas the website admin might well be an externally contracted organisation that should have no way to access the company's mail.

Michael.

[Dan]

Quote:

Originally Posted by enqaiq

I agree.

However, my problem with the WHUK setup is that (as far as I can tell) there's no distinction between the mail admin and the website admin, and no way to have different passwords for these two different roles.

IMHO, the mail admin should be somebody senior within a company, maybe even the CEO, whereas the website admin might well be an externally contracted organisation that should have no way to access the company's mail.

Michael.

This is unfortunately a built-in feature with cPanel and WHUK can't change it. Try contacting cPanel (http://www.cPanel.net) with a suggestion about this, maybe linking them to this thread so they can review it, see what they say

[jon123]

I'm afraid to say that i have read this thread twice now and don't don't really understand it! I think it maybe time for my medication.

Although I don't have a shared account I do obviously have cPanel and i can't see anyones emails without a password. Obviously i have the option to view them if i really wanted to, by simply changing the password on that account through cPanel, but I have never had any sub folders in my account..

Or is this just specific to using the default account? As all my default accounts are all set to 'fail' anyway.

[optrex]

Quote:

Originally Posted by enqaiq

I agree.

However, my problem with the WHUK setup is that (as far as I can tell) there's no distinction between the mail admin and the website admin, and no way to have different passwords for these two different roles.

There is no difference, you are not providing a "website" or an "email" service, you are providing a "web hosting" service, which is joint. Also its not specific to WHUK, its the same for all service providers.

[enqaiq]

Quote:

Originally Posted by jon123

I'm afraid to say that i have read this thread twice now and don't don't really understand it! I think it maybe time for my medication.

Try this, Jon ...

On CPanel, the second shortcut under 'Mail' is 'Webmail'. Select this, then log in with SquirrelMail. Even if you've set receiving mail on the default account to fail, the mail folders still exist.

In SquirrelMail, if you can't see any users' folders, select 'Folders' on the top menu. You'll see a list of user email accounts, to which you can subscribe. After doing this, press Check Mail and you'll be able to see email belonging to any users.

Note that you don't have to provide any additional authentication (such as the users' passwords or a root password) in order to gain access to their email.

Michael.

[jon123]

Quote:

Originally Posted by enqaiq

Try this, Jon ...

On CPanel, the second shortcut under 'Mail' is 'Webmail'. Select this, then log in with SquirrelMail. Even if you've set receiving mail on the default account to fail, the mail folders still exist.

In SquirrelMail, if you can't see any users' folders, select 'Folders' on the top menu. You'll see a list of user email accounts, to which you can subscribe. After doing this, press Check Mail and you'll be able to see email belonging to any users.

Note that you don't have to provide any additional authentication (such as the users' passwords or a root password) in order to gain access to their email.

Michael.

Ahh Michael, Got ya! now I see them!

Not sure what i think about that really. I mean as mentioned, If you really wanted to view someones emails then you could anyway using cPanel, so not sure if it makes a difference really.

[enqaiq]

Quote:

Originally Posted by jon123

If you really wanted to view someones emails then you could anyway using cPanel, so not sure if it makes a difference really.

The big difference if that you get to somebody's email by changing their password via CPanel, then they'll know about it -- there's no way of viewing the current password.

On the other hand, this way you can read email without the user's knowledge.

[jon123]

Quote:

Originally Posted by enqaiq

The big difference if that you get to somebody's email by changing their password via CPanel, then they'll know about it -- there's no way of viewing the current password.

On the other hand, this way you can read email without the user's knowledge.

I appreciate that but isn't there ways and means? Surely if i really wanted to i could use something like Outlook Express, and set it so to leave a copy of the messages on the server, then download the auto-setup batch file from cPanel. Would that not work?
I guess whether is works or not its all about trust isn't it. Just the same as i trust WHUK not to log into my account and view my emails. Somewhere along the line someone is always going to have full access. It's what they do with it.