No webmail password security for indivudual email accounts in cpanel?!

[adrian123]

Here is a transcript from web host..hostgator any help?!

c panel email accounts

(10:49:57 AM) System: There are currently 0 people in front of you and 190 chat technicians assisting customers.
(10:50:01 AM) Anthony Vu: Welcome to HostGator chat, my name is Anthony, I will be glad to assist you.
(10:50:07 AM) Anthony Vu: I'd be more than happy to help you with cpanel e-mail accounts.
(10:50:15 AM) adrian: thanks
(10:50:32 AM) Anthony Vu: How may I assist you today Adrian?
(10:50:47 AM) adrian: right...we have a domain with you guys and 3 separate email accopunts in the same domain...
(10:51:43 AM) adrian: i am concerned that either of my business partners can log in to c panel...click thro my email account to webmail and read my email...how can i stop this..?
(10:52:10 AM) adrian: i thought it was password protected but not in c panel..!
(10:52:49 AM) Anthony Vu: Correct, that might be an issue, you want to password protect your webmail log in from cpanel correct?
(10:53:22 AM) adrian: yes
(10:54:30 AM) adrian: how can i do that....i only found out by accident and read 4 months of my own email...without a password other than the domain login
(10:55:24 AM) Anthony Vu: Please allow me a moment to look into your issue. I apologize for any delay for this time.
(10:55:32 AM) adrian: no worries
(10:59:28 AM) Anthony Vu: I actually tried to test this several ways, I was not able to find a way to password protect a webmail from within cPanel unfortunately.
(10:59:47 AM) adrian: that is a terrible security issue...
(11:00:15 AM) Anthony Vu: Agreed, perhaps you can contact cpanel support to see if it's possible to do so.
(11:00:16 AM) adrian: not least a privacy issue...
(11:00:33 AM) adrian: how do i do that?
(11:01:05 AM) Anthony Vu: By going here cPanel Inc., they should be able to assist you with that.
(11:01:07 AM) Anthony Vu: Is there anything else I can assist you with Adrian?
(11:01:32 AM) adrian: no...thanks anthony...can you let them know of this massive security issue?
(11:02:14 AM) Anthony Vu: Certainly!
(11:02:15 AM) Anthony Vu: Is there anything else I can assist you with?
(11:02:30 AM) adrian: thats all thanks, cheers
(11:02:33 AM) Anthony Vu: If you have any other questions, we're here 24/7 and 365 days a year to help!
(11:02:36 AM) Anthony Vu: Thank you for using HostGator Live Chat. If you could take a minute to rate your experience with HostGator as well as my overall performance, that would help us to improve our customer service. To do that, just click the button that says Rate and Exit in the upper right hand corner. The survey takes less than a minute to fill out.
(11:02:39 AM) Anthony Vu: Take care and please have a great day!
(11:02:44 AM) adrian:
(11:02:50 AM) adrian: closed this chat intentionally.

 

[JaredR.]

If you log into Webmail as the cPanel account user, you can, by default, read the e-mail of all mailboxes on that account. This is done because, by default, there are symbolic links, or symlinks, to each user's mailbox in the account user's mailbox.

Each mailbox user cannot read other mailbox users' mail, or the account user's mail. It only works in "one direction." Only the cPanel account user can read all of the mailboxes' mail on that particular cPanel account. Each mailbox user must log in using his/her own password in order to access his/her mailbox, and is restricted to only that mailbox.

To give you an example, on a test server I have an account named cpanelte, with the domain cpaneltest.com, and on that account I have a mailbox named /[email protected] The following is a directory listing for the mailbox of the default user, cpanelte:

# ls -alh /home/cpanelte/mail/
total 36K
drwxr-x--x  9 cpanelte cpanelte 4.0K Jun 20 13:18 ./
drwx--x--x 12 cpanelte cpanelte 4.0K Jun 20 13:18 ../
drwxr-x--x  3 cpanelte cpanelte 4.0K Jun 20 13:18 cpaneltest.com/
drwx------  2 cpanelte cpanelte 4.0K May 13 12:16 cur/
drwx------  5 cpanelte cpanelte 4.0K May 13 12:16 .Drafts/
drwx------  2 cpanelte cpanelte 4.0K May 13 12:16 new/
drwx------  5 cpanelte cpanelte 4.0K May 13 12:16 .Sent/
lrwxrwxrwx  1 cpanelte cpanelte   22 Jun 20 13:18 .testing\@cpaneltest_com -> cpaneltest.com/testing/
drwx------  2 cpanelte cpanelte 4.0K May 13 12:16 tmp/
drwx------  5 cpanelte cpanelte 4.0K May 13 12:16 .Trash/

Note the symlink in /home/cpanelte/mail to /home/cpanelte/mail/cpaneltest.com/testing. If I log into Webmail as the user cpanelte, I can view the mail for /[email protected]

The symlinks are created by default, but they are optional. If you do not want the default account user to read individual accounts' mailboxes, you can simply remove the symlinks. If you are not familiar with navigating the directory structure of your account, I recommend that you ask your host (in this case HostGator) to do this for you.

 

[cPanelTristan]

I wanted to add an additional note on this thread for reference to anyone who also has WHM access (rather than cPanel only account access). If you set this option in WHM > Tweak Settings:

** Mail authentication via domain owner password [?]
Allow mail account authentication using the password of the domain owner’s account

This will allow the cPanel username login account to log into each individual email account created on that cPanel account. As such, if you do not want this ability to exist for logging into each individual email account without the password for that email account, please set this to "Off" instead in WHM's Tweak Settings area. The default is already set to "Off"

Thanks!