What you think about external (by apache) identification for access qmailadmin? It's less secure or what? I create this option, patch included... may be it will be useful.
At first I thought it would be a good idea, but then I thought of a possible security hole.
If a user has shell access on the machine, and can execute the CGI, then he could set up his environment variables to trick the CGI into allowing access to any account.
Granted, it would take some work, but it is a realistic attack.
You may want to upload your patch to SourceForge and get feedback from others. There may be a way to allow REMOTE_USER authentication without opening the security hole of a shell account (or cron job) accessing qmailadmin.
-- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
