Changes to webmail login behaviour from cpanel "Email Accounts" section.

[4u123]

A customer has just pointed out today that when clicking "Email Accounts" in cpanel and navigating to the "More" menu next to an email address, then clicking "Access Webmail", the user is logged in directly to webmail for that account without requiring a password.

I'd like to disable this behaviour and have it the same as it was before, i.e requiring a password. Is there any option to do this?

There is a setting in "tweak settings" "Mail authentication via domain owner password" which I think should control this - but we have it disabled and the cpanel user can still login to all email accounts without any additional password security.

I understand the logic behind this change. The idea is that if you have cpanel access, you can go in and change the passwords anyway - so why not just open it up?

I don't agree with this way of thinking and I'd like the ability to disable this functionality if possible.

 

[cPanelMichael]

Hello

You can review the existing feature request for this at:

Remove 'Access Webmail' from Email Accounts | cPanel Feature Requests

It includes a response regarding why this is by design.

Thank you.

 

[4u123]

Hello

You can review the existing feature request for this at:

Remove 'Access Webmail' from Email Accounts | cPanel Feature Requests

It includes a response regarding why this is by design.

Thank you.

You guys have a very poor understanding of security and a poor understanding of how your control panel is used on a daily basis. I can't add a comment to that feature request because it has been closed, but my points are as follows...

Your mentality seems to be that the admin is a techie and so they can access all the emails if they know what they are doing, so why not just allow a login to every email account without a password anyway?

The cpanel admin is often someone who has no understanding of the cpanel file structure and would not know that they can access emails via the file system. It is also often an office junior, who has been given the lowly task of maintaining the site, or a secretary / admin within a small business. It is not always a technical person that is the cpanel admin.

Sometimes temporary access to cpanel is given to web developers and people to carry out certain tasks.

Some customers (for various reasons) give all their users access to cpanel.

This pointless feature encourages anonymous snooping, which wouldn't normally be possible. It is too risky to change a password on an email account, in order to snoop, because the owner of that account would notice their password not working. This new functionality makes it much easier for someone to snoop on their colleagues without being detected.

What advantage is there to having this enabled? When does the cpanel admin ever need to access everyone elses email accounts?

Why even include the option to login to webmail from there at all?

Surely the rule should be to keep things as secure as possible, with as many layers of security required to prevent unauthorized access. Your rule seems to be to open everything up as much as possible. You are fundamentally wrong in your way of thinking.

You are opening this up to abuse. Plain and simple. Your mentality surrounding the way in which your product is used or should be used, is not the way it is used in everyday life.

Keep going like this and you will soon see your customers moving away from cpanel.


I just want t add that Ken's official response to people's requests to remove this functionality was as follows....

"It is beyond the intended design and use of this product to provide any level of privacy between an admin level account, and a non-admin level account.

That would be fine, if there was such a thing as a "non-admin level account" At this time, as far as I'm aware, there is still only one level of access to cpanel.

As Ken explains, he's really talking about the difference between the cpanel user and the Email user. It seems that the cpanel user, may at some point require access to every individual Email account. Really?

He says...

In some areas we intentionally configure the system to allow the cPanel user direct access to the content. For example when the cPanel user logs into webmail, the user has direct access to the inboxes for all email accounts managed by the cPanel account.

Yes, we know that - that's a statement saying that you have implemented it. The big question is why?

Without different levels of access control, there is only one - the "master" cpanel login. So while you are encouraging this admin account to have total access to everything (even where it isn't appropriate) you are forgetting that it is very often the case that the individual with access to cpanel is not as responsible as the credentials may imply - purely because there is no other level of access that could be given to that person.

That is the reason why this is not appropriate.

 

[cPanelMichael]

We do have another feature request open that would address these concerns:

Multiple cPanel Logins (cPanel Subusers) | cPanel Feature Requests

Thank you.

 

[4u123]

We do have another feature request open that would address these concerns:

Multiple cPanel Logins (cPanel Subusers) | cPanel Feature Requests

Thank you.

You shouldn't need a feature request to implement something that is a basic requirement and has already been implemented by other hosting control panels? You are behind your competition in this area.

 

[cPanelKenneth]

The change in question is an extension of a feature that has existed since at least cPanel 10: the ability for the cPanel user to login to the default webmail account and view the inboxes of all the email accounts managed by that cPanel account[0]. That feature was extended for use with the Single Sign-On functionality we introduced in version 11.40.

As you properly point out people use our product in a wide variety of ways. Some of those ways inevitably leads to the sharing of login credentials. The solution here is to provide functionality that matches what people are actually doing: sub users (Multiple cPanel Logins (cPanel Subusers) | cPanel Feature Requests).


Footnote
0: Our terminology can be a bit confusing. Logging in to port 2095, or 2096, using the cPanel account name, and password, the cPanel user gains access to the default mailbox. Using one of the webmail clients (e.g. Roundcube) the user can view all the inboxes (and folders) of all email accounts managed by that cPanel account.

 

[4u123]

The change in question is an extension of a feature that has existed since at least cPanel 10: the ability for the cPanel user to login to the default webmail account and view the inboxes of all the email accounts managed by that cPanel account[0]. That feature was extended for use with the Single Sign-On functionality we introduced in version 11.40.

As you properly point out people use our product in a wide variety of ways. Some of those ways inevitably leads to the sharing of login credentials. The solution here is to provide functionality that matches what people are actually doing: sub users (Multiple cPanel Logins (cPanel Subusers) | cPanel Feature Requests).


Footnote
0: Our terminology can be a bit confusing. Logging in to port 2095, or 2096, using the cPanel account name, and password, the cPanel user gains access to the default mailbox. Using one of the webmail clients (e.g. Roundcube) the user can view all the inboxes (and folders) of all email accounts managed by that cPanel account.

The feature to access all mailboxes with the cpanel login details (via webmail) is also a contentious issue and one that many of your customers would like to disable for the same reasons as I have explained above. There have been threads on this forum from people who, like me, don't agree with this functionality and would like an option to disable it.

It is a clear privacy issue and it exists because you don't fully understand how your product is used. You implement things based on an ideal model of how you intend cpanel to be used, but frankly it is inaccurate and ill conceived.

I can't actually think of a single reason anyone would require this functionality, other than in a situation where the owner of the hosting account and all mailboxes is one individual and the sole person with access to their own stuff. The password-less login and webmail login with cpanel details would provide some convenience there.

However, in all other situations, this level of access is entirely inappropriate and it isn't required. As I said before, the cpanel "admin" user is in most cases either a normal user, or a web designer and it is not appropriate to give either of those people direct access to all the customers messages without an individual mailbox password.

If you disagree with me Ken - I'd like to try and understand your reasoning - tell me why it's a good thing. What advantage does this functionality bring? In what circumstance would someone use this feature, other than the one I have explained above?

I can see that you are probably working towards a situation where all options can be enabled / disabled in an access control list for individual cpanel (sub) users in the future, but I don't think it is wise to implement things that could create a serious privacy risk, without first putting that infrastructure in place. It's just common sense.

While you have only one cpanel user, it would be sensible and greatly appreciated if you could add a tweak settings option to disable this functionality altogether, for both the webmail login and the cpanel passthru to webmail.

 

[WhiteDog]

While I sympatize with your your points, here are some things to take into consideration.

Kenneth / Michael:
- adding a Tweak option to disable this behaviour and ask for a password would probably only take a few hours of development time, correct?

4u123:
- It was already possible in the past to browse someone elses email via the file system.
- Some of our users would want this off, others would want it on (support for family members).

Probably the sub-user solution is the way to go, but until then, I'd prefer to have a quick Tweak setting to have the old behaviour back.

 

[GSK]

4u123 is spot on.
This easy access to all inboxes is causing a whole lot of problems. Most ppl given access to cpanel are not techies. I'm from Singapore and there is a Act of Parliament that controls privacy - "Personal Data Protection Act (PDPA)". Auto login to all emails via cpanel is a violation and can result in serious legal trouble.

And in case you are thinking the issue is only with a small country, here's an extract - it will be an issue in a whole lot of other countries:

"In the development of this law, references were made to the data protection regimes of key jurisdictions that have established comprehensive data protection laws, including the EU, UK, Canada, Hong Kong, Australia and New Zealand, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework. These references are helpful for the formulation of a regime for Singapore that is relevant to the needs of individuals and organisations, and takes into account international best practices on data protection. "

So what you guys are doing is shooting yourself in the foot. Keep up with this idiotic way of thinking and you are likely to lose customers. Create a quick tweak (if one has not already been created) and let users know in the various forums. I've been looking around and not seeing any fix for this simple problem.

 

[stormy]

This is scaring me a bit as well, being in the EU myself. I totally understand cPanel's reasoning about a false sense of security, but I think the "real world" uses that have been brought up should be taken into consideration.

We are simply talking about (optionally) removing a link that essentially says "click hear to read your coworker's email", and avoid a lot of hassles to many people, legal and otherwise.

Please do it guys!