disabling admin from reading email

ana.pofuk

Registered
Jul 27, 2012
1
0
1
cPanel Access Level
Root Administrator
Hi
When installing cpanel i have a privacy request from a customer. CEO doesn't want anyone to be able to read his emails, not even site admin.

Is it possbile to disable administrator from reading emails of all the accounts without having the password for the specific account?
Now it is easy to do it - you just click "Access Webmail" link in the email accounts link.

Of course there are other ways with having acess to every file on the server, but this would be a great first step, usable at least for non technical administrators (people just managing email accounts)
Thank you
 
Last edited:

azurecoast

Member
Jul 25, 2012
9
0
1
cPanel Access Level
DataCenter Provider
Hi
When installing cpanel i have a privacy request from a customer. CEO doesn't want anyone to be able to read his emails, not even site admin.

Is it possbile to disable administrator from reading emails of all the accounts without having the password for the specific account?
Now it is easy to do it - you just click "Access Webmail" link in the email accounts link.

Of course there are other ways with having acess to every file on the server, but this would be a great first step, usable at least for non technical administrators (people just managing email accounts)
Thank you
As with any type of "content" the security is all about access; usually physical. I mean most "stuff" is stored on a drive or NAS/SAN someplace, and if somebody can get to that or even back ups.... Email in the "cloud" raises a whole new set of complexities for companies as the "CEO" has a fiduciary responsibility to the company, and typically that means preservation of company assets like IPR that might be inside those emails.

So, one of the better ways to deal with this issue is to encrypt all the emails. Your CEO can do this for his "email storage" and you can do it for yours, using S/MIME. That way each account stored has its own set of keys, and the mail server does not care, it just sees "files" and presents those to the MUA like Outlook that will need to decrypt. iPhone with ver. 5.1 supports S/MIME too.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello :)

You can ensure the following option is turned off in "WHM >> Server Configuration >> Tweak Settings" under the "Mail" tab:

"Mail authentication via domain owner password"

Disabling this option prevents mail account authentication using the password of the domain owner’s account. While there are definitely methods to circumvent this feature and access emails (e.g. changing the password of the email account), this is a basic option available that some users prefer to use.

Thank you.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Please keep in mind that anyone who has access to cPanel files themselves (such as FTP to /home/username) or File Manager can access /home/username/mail/domain.com/emailuser where username is the cPanel username, domain.com is the domain name and emailuser is the email username.

Additionally, the system administator of the server itself can access these locations.

The only way to have such privacy would be to encrypt the emails. If they are encrypted, then only the sender and receiver would be able to easily read them.

Here's a guide on using this for Thunderbird:

How to encrypt your email

He'd need to ask people emailing him that they also encrypt, but it makes a lot of sense to utilize encryption for sensitive data.