On 8/9/23 07:38, dovecot--- via dovecot wrote:
Roundcube does not have direct file access to the emails even on the
same server. Roundcube opens a connection to dovecot, supplies the
user/pass/login credentials to dovecot, and dovecot fetches the email
stores and serves it to roundcube. There is nothing a hacker can gain
access to by exploiting roundcube that they also couldn't get in the
same scenario if roundcube and dovecot were on two different machines.
--
The scenario you describe does not consider a breach of the web mail
service that allows root access to the file system.
If the web service is compromised to that extent then the mail file
store is also compromised.
If the mail file store is on a different device then an exploit has to
not only breach the web service on the interface device, it then has to
breach the remote store. This will be extremely difficult compared to
simply breaching a web server and locally exploiting it.
When the dovecot server is on a remote system and correct firewalls are
in place, then the attacker has to breach the imap protocols as well
This article describes the concept
https://www.fortinet.com/resources/cyberglossary/what-is-dmz
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org