Security issue with mail inboxes in VM 3.65gpl ?

I don’t know if this was introduced with this particular version, neither whether if it is a template setting change.

The issue

Back with VM v.3.21 gpl (which is the previous I used), when I was creating a new email box for a virtual server user, VM would create it with permissions 0600 for the inbox file /var/spool/mail/<mailboxname>

Now, with v.3.65gpl, it creates it by default with 0644.

As far as I can tell, this is serious security issue: all users who have FTP/SSH access will be able to read anybody’s else email as long as they know mailboxes are located in /var/spool/mail and the <mailboxname>. The latter is not difficult to guess (most popular ones such as “contact”, “support”, etc.) or learn (if email is received and I know our domains are on the same server).

As I said, this might be a template setting. But after going over so many VM and Webmin config screens, I couldn’t find such setting. It is either non-existent, or is “hidden” after some strange, non-descriptive title.

if somebody knows such setting, please point where to find it.

Tnx<br><br>Post edited by: kvguser, at: 2009/02/15 19:09

It would seem as if you have an unusual setup there, as by default, Virtualmin puts all email in $HOME/Maildir.

When you installed, did you use the If not, you might not have gotten the configuration file updates to have email put in the user’s home directories.

Hm, not sure I changed it …
I am sure I followed the Virtualmin installation instructions as they are listed on the Webmin website - that is what I have in my notes. And I follow my notes.

These instructions: – Virtualmin – Install Instructions ( ). These don’t mention running any “”.

I found the option for the mail location: Webmin – Servers – Sendmail mail server – Module config – User mail file location.
I don’t think I have changed it - it is what the original is.

Might be possible because I prefer Sendmail rather than Postfix.

Still, I think you should consider this problem: if somebody follows the install instructions and uses sendmail, seems they will end up with this problem.