I am running roundcube and dovecot on the same machine. To avoid the described scenario, I have:
1. Enabled and configured selinux on that machine, 2. Enabled mail-crypt plugin with user keys in dovecot. This should make it hard for an attacker to get access to the emails even with root access gained through a compromised web server. Am I right? :) Am Freitag, dem 08.09.2023 um 06:50 +0800 schrieb jeremy ardley via dovecot: > > On 8/9/23 05:00, joe a wrote: > > Any known issues with installing/running roundcube and dovecot on > > the > > same server? > > > There is a generic issue with doing this. That is if you have > roundcube > (or any other web mail interface) on the same server as dovecot, a > breach of the web interface could be quite serious and allow access > to > the complete mail store. > > A better configuration is to run the web mail interface on an > isolated > server and get it to communicate using TLS imap with a remote dovecot > service. > > For economy, you could do this on the same machine using a small > virtual > server to run roundcube > > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org -- -- Robert Senger _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org