Disable access to all users email accounts?

Rick Davis

Registered
Jun 28, 2018
2
0
1
Cincinnati, OH
cPanel Access Level
Root Administrator
There are many old or closed threads on this topic, which is basically about the ability for a cPanel admin user to read or access all user email accounts from the cPanel webmail link without having to enter the individual email account password. I understand that the cPanel admin is a root user and can change any users email password, so there is no way to stop them from viewing any user email if they want to. So many questions. Looking for a best practice recommendation.

Is it as simple as disabling webmail access?

I am curious to know whether the discussion continues, is considered resolved, or just not worth discussing? I would also like to know what admins in this position tell the persons or companies that they administer cPanel accounts for in regards to this topic? Is it a don't ask don't tell type of topic? Or do you fully disclose the discussed possibilities? And/or offer them a different email solution that is more secure? If so, how do you disclose this info? And what other options do you offer?
 

Rick Davis

Registered
Jun 28, 2018
2
0
1
Cincinnati, OH
cPanel Access Level
Root Administrator
Thank you. That was one of the three year old discussions I mentioned. It's obvious the developers of cPanel don't consider this a bug or feature worth removing or restricting. So I guess my real question is "How do cPanel admins disclose this flaw to users that have their email stored on a server with cPanel?" I think the real answer or solution that I am considering is to remove email as a service on any web hosting server that uses cPanel and instruct users to use Gmail or some other email service instead.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
There are many old or closed threads on this topic, which is basically about the ability for a cPanel admin user to read or access all user email accounts from the cPanel webmail link without having to enter the individual email account password. I understand that the cPanel admin is a root user and can change any users email password, so there is no way to stop them from viewing any user email if they want to. So many questions. Looking for a best practice recommendation.
This is because the cPanel admin (which is NOT in any way a "root" user it does not have root access to the system) has access to the emails in a number of other ways, the only thing this would do is provide an illusion that the cPanel user wouldn't be able to access the mail. Mail for all email users is accessible through the File Manager UI, through FTP with the cPanel user, and email user's inbox's can be subscribed to by the default email account.

Is it as simple as disabling webmail access?
You can disable webmail access using the feature manager for the Featurelist assigned to the account's package. This would remove the Access webmail link as well as the ability to access Webmail for any email account on the account using that package+featurelist

"How do cPanel admins disclose this flaw to users that have their email stored on a server with cPanel?" I think the real answer or solution that I am considering is to remove email as a service on any web hosting server that uses cPanel and instruct users to use Gmail or some other email service instead.
It should be assumed that the cPanel admin user has access to all items within the account, I wouldn't consider this a flaw it's a purposeful design element.

Thanks!