I don’t know if this was introduced with this particular version, neither whether if it is a template setting change.
The issue
Back with VM v.3.21 gpl (which is the previous I used), when I was creating a new email box for a virtual server user, VM would create it with permissions 0600 for the inbox file /var/spool/mail/<mailboxname>
Now, with v.3.65gpl, it creates it by default with 0644.
As far as I can tell, this is serious security issue: all users who have FTP/SSH access will be able to read anybody’s else email as long as they know mailboxes are located in /var/spool/mail and the <mailboxname>. The latter is not difficult to guess (most popular ones such as “contact”, “support”, etc.) or learn (if email is received and I know our domains are on the same server).
As I said, this might be a template setting. But after going over so many VM and Webmin config screens, I couldn’t find such setting. It is either non-existent, or is “hidden” after some strange, non-descriptive title.
if somebody knows such setting, please point where to find it.
It would seem as if you have an unusual setup there, as by default, Virtualmin puts all email in $HOME/Maildir.
When you installed, did you use the install.sh? If not, you might not have gotten the configuration file updates to have email put in the user’s home directories.
-Eric
Hm, not sure I changed it …
I am sure I followed the Virtualmin installation instructions as they are listed on the Webmin website - that is what I have in my notes. And I follow my notes.
I found the option for the mail location: Webmin – Servers – Sendmail mail server – Module config – User mail file location.
I don’t think I have changed it - it is what the original is.
Might be possible because I prefer Sendmail rather than Postfix.
Still, I think you should consider this problem: if somebody follows the install instructions and uses sendmail, seems they will end up with this problem.