[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Apologies for asking a question so similar to one in the archive's greatest hits section, but there are a lot of sysadmins on this list whose opinions are worth listening to & this *exact* question hasn't been asked before.

I've had clients start asking for webmail lately. I'd like to offer this functionality, but I'd like to do it without compromising system security & without adding a database to my server. The server does POP3 & SMTP, I'll give my users IMAP about when hell freezes over. (I don't need the aggravation of storing their mail on the server & telling them how to empty their mailboxes when they hit quota.) I looked at Endymion MailMan, but I stopped looking when I realized their pricing was per-domain. Now I'm mostly looking at sqwebmail. I think I can run this without compromising system security because I'm running a virtual mail package. I'm running qmail with vpopmail, which means I can run sqwebmail suid vpopmail instead of suid root. Now, I'm not a security expert. What I'd like to know from this list is whether my logic re: sqwebmail is flawed & whether anyone has a better suggestion for webmail, or even whether the idea of webmail is so fundamentally flawed that I just shouldn't do it. Note that I don't care about *mail* security (they're using POP-3 already), I only care about host security (POP-3 users do not have shells).

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
-Benjamin Franklin

"...qui desiderat pacem, praeparet bellum"
(...if you would have peace, be prepared for war)
-Flavius Vegetius Renatus