Posts by joximu

Gute Enscheidung, denke ich.

Hi Nuxwin
just wanted to try to clear the difference of orders and domain orders... but which one is the alias order - I don't know :-))

anyway... you did it!

I think this is good....

/Joxi

AFAIK aliases need to be accepted by the reseller...

/J

I think storing one hash only is to few.. the hash algorithms also getting better and better - in a few years maybe md5 is not secure - so changing the hash is needed -> for this occasion the private key can be entered by the admin -> the passwords are hashed again into a new field... (sha1 or whatever).

For the pma problem I think there might also be a solution (only give the hash and pma compares them...)...

For the moment sasl is also a problem - look into /etc/sasldb2 - you can read all the mail passwords...

/J

Well, there are in fact some points when the original password is needed:
- direct link to phpMyAdmin (incl. login with a certain user).
- changing e.g. the pop3/imap server (courier -> dovecot) etc.

Maybe a big part could be managed by storing some different hash values of the password in the db (pw_md5, pw_rsa1, etc...) - maybe with some code changes on pma... - and for the really big things (server migration changing of daemons etc) - I think of private/public-keys: storing the password encrypted with a publickey - and when the admin neeed the original he has to enter the private key.... (of course only with https

Maybe this can be a way....

/J

Here the answer from sci2tech in the internal forum on the same question:

Quote

RE: Mailpassword in Database not crypted???
Is any reason to be crypted? Was a mistake I did with ispcp and I corrected now. If someone get access to imscp database that will be last thing to worry . Crypted or not, that person will have access to all your data in computer (mail, passwords - yes he will be able to decrypt them - and with minimum effort, root access) . Thats security through obscurity and is not even a bit an improvement =)).
Do not belive me? just send me access to a system with ispcp / imscp and db access to it, and I`ll forward to you all data you want

Hi Cube

es sieht so aus, als ob du den bind nach der Installation wieder entfernen musst (und auf "no" stellen...).

Mir persönlich reicht es, wenn er auf no ist und ich ihn deaktiviert habe... (in /etc/default/bind gibt's da eine Möglichkeit... wenn ich mich nicht irre...)

Gruss Joxi

Hi dstroma

Thanx for your report - this is very valuable for the developpers. It's always a good thing to have someone who uses the software the first time.
Many of the things you mention have historical reasons (Admin/Reseller/User, UserAdd, Domain Alias etc.)... i-MSCP is not a "panel from scratch"...
When i-MSCP was founded (more or less a year ago) the devs focused on Debian as supported OS - but supporters for other distributions are welcome.

About Admin/Reseller/User - just create a reseller - you always can login as admin and switch to reseller to add a user. But with the time you will notice that you normally do not need the admin level for the daily work.
The "awaiting approval" for domain aliases is a protection: if a user adds "gmail.com" as domain alias and then adds a mail catchall... he gets all the mails that other customers send via this server that are addressed to @gmail.com... this is not a good idea. Thats why the reseller should check if the domain is plausible... normally the reseller should get a note about the new domain-alias that he has to approve.

Normally it's possible to change things that you didn't answer "correctly" during the setup - some are easy, some are heavy - maybe with the new setup it's also possible to rerun the setup (ir update) to change the settings... but I cannot tell this for sure.

/Joximu

of course! +1

Depends on the circumstances - of course, if your ispcp account is hacked then the big button is not very usefull... if your ftp account was hacked you can change the password, upload an old backup (if you can...) and ok, if you removed the webite by mistake - just before ispcp mad a backup... then you also might try to upload an old backup...

You always have a situation which does not fit to the automated tools...

A customer of mine was happy to manage different backups - he could play with oscommerce and when he messed it all up after a few days he just uploded his old backup and restored it...

/J