|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
E-Mail Control Panels
Members of the ISP-Linux list discuss providing Web-based control of e-mail configurations for webhosting accounts. It's quite the can of worms, from a security standpoint.
| [September 21, 2001] |
 |
On the ISP-Linux list in September, DH inquired,
"Does anyone have any suggestions on a decent e-mail control panel? I'd like to give users the ability to control their own e-mail addresses, aliases, etc., so they can add or delete their own POP accounts instead of calling us all the time to do it. We've been using sendmail, but we're willing to make some changes."
A number of respondents suggested that DH's idea could be pretty dangerous:
[PP warned] "You're opening a can of worms from a security standpoint. I have watched as a hacker commandeered a DNS server, spoofed a domain, then proceeded to send thousands of e-mails to AOL users on said domain's actual server. The e-mails he sent were an 'official' request from the 'AOL accounts office,' including a link that took them to what appeared to be an 'official' AOL page where they could reenter their account data so their account 'would not be deleted in 24 hours'. Security: some ISPs just don't get it."
[JH agreed] "You're talking about making system configuration files world-writable: under sendmail, especially, you need to give read/write ownership of /etc/aliases to the whole world thru the web. I think the only viable MTA for such a security-hazy situation is qmail; sendmail could be made too vulnerable in inexperienced hands."
Others disagreed, suggesting it's all a matter of balancing security with functionality:
[AM countered] "Having an e-mail control panel is the basis of having a virtual hosting business. Are you saying thousands of companies are 'opening a can of worms'? Security is what you make it, no matter the situation. Even the most 'secure' environments can be insecure in the wrong hands. Written correctly and with the correct permissions, there will be very few security issues involved in letting users control e-mail accounts. However, there will always be some security risk: all you can do is make it as small as possible. The only secure network is a completely isolated one, which anything connected to the Internet is not."
[TJ agreed] "Security is what you make of it. There is no such thing as a 100 percent secure system, only a system that is very difficult to hack/crack/crash."
PP took a different view:
"I make security job one. In my environment, I am the 'control panel' and I want users to call me to have such mundane things done as adding POP accounts. I like my users, they tolerate me, and whatever they want done gets both done and tested. I am the 'user interface,' and they seem to like it that way. It's odd how many users we have now that came from automated ISPs: I wonder if that 'human' thing has anything to do with it?"
—End
| Related articles: | |||
| [June 6, 2001] | The Con Artist | ||
| [Dec. 13, 2000] | How To Improve Customer Satisfaction with SLAs | ||
| [Mar. 2, 2000] | QMail: A Better Sendmail? | ||
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
