I don't know if this was introduced with this particular version, neither whether if it is a template setting change.
The issue
Back with VM v.3.21 gpl (which is the previous I used), when I was creating a new email box for a virtual server user, VM would create it with permissions 0600 for the inbox file /var/spool/mail/<mailboxname>
Now, with v.3.65gpl, it creates it by default with 0644.
As far as I can tell, this is serious security issue: all users who have FTP/SSH access will be able to read anybody's else email as long as they know mailboxes are located in /var/spool/mail and the <mailboxname>. The latter is not difficult to guess (most popular ones such as "contact", "support", etc.) or learn (if email is received and I know our domains are on the same server).
As I said, this might be a template setting. But after going over so many VM and Webmin config screens, I couldn't find such setting. It is either non-existent, or is "hidden" after some strange, non-descriptive title.
if somebody knows such setting, please point where to find it.
Tnx<br><br>Post edited by: kvguser, at: 2009/02/15 19:09
It would seem as if you have an unusual setup there, as by default, Virtualmin puts all email in $HOME/Maildir.
When you installed, did you use the install.sh? If not, you might not have gotten the configuration file updates to have email put in the user's home directories.
-Eric
Hm, not sure I changed it ...
I am sure I followed the Virtualmin installation instructions as they are listed on the Webmin website - that is what I have in my notes. And I follow my notes.
These instructions: webmin.com -- Virtualmin -- Install Instructions ( http://webmin.com/vdownload.html ). These don't mention running any "install.sh".
I found the option for the mail location: Webmin -- Servers -- Sendmail mail server -- Module config -- User mail file location.
I don't think I have changed it - it is what the original is.
Might be possible because I prefer Sendmail rather than Postfix.
Still, I think you should consider this problem: if somebody follows the install instructions *and* uses sendmail, seems they will end up with this problem.