[SOLVED] spam quarantine dashboard, security

[Fra]

I see the "PMG spam quarantine dashboard" is accessible (from the internet) by any user that receive spam.

Indeed, in the "Daily Spam Report for 'john@mydomain.com'" I see a link in the footer

"Please use the to web interface manage your spam quarantine."

that takes the user in the "PMG spam quarantine dashboard", so, anybody that have that link can access to it, from anywhere, and whitelist an entire domain (well, limited for that user's email I guess)

I've read the doc and is pretty clear this is by design.

I see there are alternative login, not just 'ticket': my question: is it really fine to leave this service open to the internet?
(just wondering)

 

[dcsapak]

you can setup an ldap server and use that instead of the ticket login, (or disable the spamquarantine completely)

the link contains a ticket, which is bound to the email getting the spamreport, which is intended to be an internal user, so thats ok

what exactly are the security concerns here?

 

[Fra]

> what exactly are the security concerns here?

our pmg instance is in the intranet, so no worries: yes, we may connect it to our LDAP

we were just shocked this morning when we saw users in the pmg interface, with their profile in the upper right side header then we read the doc and understood

 

[Fra]

btw, how do we disable sending the "Daily Spam Report" ?

I guess we cannot enable it only for some users (or the main admin/postmaster user)

 

[dcsapak]

btw, how do we disable sending the "Daily Spam Report" ?

you can set the spamreport style to 'none' (Configuration -> Spam detector -> Quarantine)

I guess we cannot enable it only for some users (or the main admin/postmaster user)

no thats not possible atm, but you could open a feature request (no promises though) here: https://bugzilla.proxmox.com

 

[Fra]

thanks Dominik