1 Topic by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Topic: Domain Admin can read the maillog of the whole server (all domains!)

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: ubuntu 16.04.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
when I promote a user to be the domain admin, he can read the mail log of the whole server.

First strange thing: when I check the domain to be managed and hit save, the checkbox gets unchecked..
https://i.imgur.com/fYcrB8T.png
to
https://i.imgur.com/a1nsGiU.png

But anyway, it works. When logging in I only see the stats of the chosen domain and only those users who belong to that domain.
But the Mail Log is visible for everyone:
https://i.imgur.com/kXVFgvR.png
same for recieved, quarantined i'm not sure because there isn't any yet.

Have I set something up wrong, or is this a bug?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Domain Admin can read the maillog of the whole server (all domains!)

*) I can reproduce first issue with the latest iRedAdmin-Pro release (SQL edition).
*) Can NOT reproduce second issue.

Working on a patch to fix 1st issue.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Domain Admin can read the maillog of the whole server (all domains!)

Patch used to fix 1st issue:

--- controllers/sql/user.py    2017-12-22 12:53:14.000000000 +0800
+++ controllers/sql/user.py    2018-01-17 21:15:24.000000000 +0800
@@ -339,7 +339,7 @@
         all_domains = []
 
         if session.get('is_global_admin') or session.get('is_normal_admin') or session.get('allowed_to_grant_admin'):
-            qr = sql_lib_admin.get_managed_domains(admin=session.username,
+            qr = sql_lib_admin.get_managed_domains(admin=mail,
                                                    domain_name_only=True,
                                                    listed_only=True,
                                                    conn=conn)

4 Reply by lug (edited by lug 2018-01-18 21:57:30)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Domain Admin can read the maillog of the whole server (all domains!)

Thanks for fixing the first issue, it works!

With the seconds issue I have my problems, I've set up a fresh installation and there it works fine, like you said.
The problem is the main setup is only 1 week old, and I've not changed anything big.

Can you tell me in which file the query is coded, so I can compare the file on both servers?

Edit: I just made a diff check on the whole /opt directory and the only thing that differs are the passwords in iredapd/settings.py

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Domain Admin can read the maillog of the whole server (all domains!)

Did you ever create some SQL records in "vmail" database manually?

6 Reply by lug (edited by lug 2018-01-23 21:51:00)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Domain Admin can read the maillog of the whole server (all domains!)

There might be the possibility I've used /root/iRedMail-0.9.7/tools/create_mail_user_SQL.sh

I'll check the database..

Edit: I cannot find anything that looks like it broke something, all entries look the same.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Domain Admin can read the maillog of the whole server (all domains!)

lug wrote:

/root/iRedMail-0.9.7/tools/create_mail_user_SQL.sh

Mail user account created with this script is ok.

It's hard for me to troubleshoot the second issue without more details, direct remote ssh access will be better if possible.
If it's a bug of iRedAdmin-Pro, this support will be free for you, but if it's caused by your improper data, a support ticket ($99) is required. OK for you?
https://www.iredmail.org/support.html

8 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Domain Admin can read the maillog of the whole server (all domains!)

I think I'll migrate the database to a fresh installation and check if it's the same error, than it's probably the database, i guess. smile

9 Reply by lug (edited by lug 2018-01-25 18:21:52)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Domain Admin can read the maillog of the whole server (all domains!)

Soooooo, I reinstalled iredmail and iredadmin pro, migrated the vmail, iredadmin & iredapd database and the mailboxes to the new server, and the logging works just fine now. domain owners can only read the logs for their own domain.
So is it possible, that the first issue broke something?

I think I'll just use the new installation as the productive server.