[Feature] enable admins to see user mailbox

[dakolta]

Impacted versions

• OS Type: Debian/Ubuntu
• OS Version: 4.19.260-1
• Database Type: PostgreSQL
• Database version: 11.18 (Debian 11.18-0+deb10u1)
• Modoboa: 2.0.2
• installer used: Yes
• Webserver: Nginx

Create new user and check "Allow mailbox access", set email address. Try login in using format of "[email protected]*[email protected]" and the password for [email protected].

When logging in web interface returns the error "Your username and password didn't match. Please try again."

Being able to log into the web interface as the master user to view a users mailbox. I have been able to do this using other web mail servers, i.e. iRedMail, Roundcube, SoGo, etc.

[Spitfireap]

Hi, there is an issue with this installer, could you edit /etc/dovecot/conf.d/10-ssl.conf : replace !include_try = /etc/dovecot/conf.d/10-ssl-keys.try by !include_try /etc/dovecot/conf.d/10-ssl-keys.try. then type sudo service dovecot restart.

[dakolta]

I do not have that line in that file and I do not see the /etc/dovecot/conf.d/10-ssl-keys.try file in the directory.
This is the contents of the /etc/dovecot/conf.d directory:

[Spitfireap]

okay sorry I misunderstood. The feature is not yet implemented in modoboa.

[tomas-kucera]

Hi there, there are two parts into using master account:

• ability to use Modoboa Webadmin to "peak" into users' mailboxes - this one I personally do not miss 😉

• ability to connect (for example using Python's imaplib) to the users' mailboxes using master account for example for bulk mailboxes migrations:

  • this one is actually perfectly possible
  • it requires to have enabled Allow Mailboxes Access on the SuperAdmin identity
  • if the SuperAdmin does not have email (which normally does not have), the login is not possible as the search is using the login name / username as email, which for standard users it is usually identical, but for the SuperAdmins it is empty and thus the record is never found and thus not authenticated
  • there are two way to get around it: you can manually update the core_user DB record for the SuperAdmin(s) filling the usernames into the emails (tested and it si working, but I do not like this one though) or
  • in /etc/dovecot/dovecot-sql-master.conf.ext configuration file within the line password_query = SELECT email AS user, password FROM core_user WHERE email='%u' and is_active and master_user replace the email (twice) with username and restart dovecot (maybe reload is enough too)
  • now it is possible to do for example this using the imaplib:

import imaplib

# for non-SSL conenctions
mailbox = imaplib.IMAP4(host='mail.domain.tld', port=143)

# for SSL connections
mailbox = imaplib.IMAP4_SSL(host='mail.domain.tld', port=993)
typ, data = mailbox.login('[email protected]*admin', 'password')

print(mailbox.list())

mailbox.close()
mailbox.logout()

The password_query could also be more sophisticated, such as:

password_query = SELECT username AS user, password FROM core_user \
  WHERE (username='%u' or email='%u') and is_active and master_user

BTW Should @Spitfireap be OK with this (I have not found any issues after this change), I would create a PR for this. 😉

[Spitfireap]

Feel free to open a PR. Neither me or @tonioo have worked on this I belive. Just that from my pov. If you are SuperAdmin then you should be able to access the server and simply rsync the whole dovecot folder of your domain...

[tonioo]

That's a feature we could indeed implement in the webmail and I think updating the query is fine for master users.

[hazho]

I highly advice not to load any email (from any inbox) on web interface, while the currently authenticated user is master, there are plenty of security vulnerabilities for such action, however, to list the emails and open the email content in a sandboxed interface could be fine (although lot of tests needed), that been said, the master user should always be able to do any programmatical operations over anything (including the mailboxes) but not loading the contents of any email on web)