implement parameter to turn off login via alias
At the moment you can log in via the web frontend or SMTP/IMAP using an email alias you have set up.
So for example if you have a user with the email user@domain.com and set up an account alias in the admin console like alias@domain.com you can now login at the web frontend or SMTP/IMAP with the user "alias" and the password of the user "user".
This poses a security risk as I need to add in the alias "root" to receive some emails and I already had a few hacker attempts to login with the user root to SMTP. Of course I have a strong password but would still like the admin option to generally disable alias logins to the server.
Thanks
This option will be available via CLI starting with Axigen X2 Update 2 (10.2.2), planned for the end of November, 2018.
Please note that for now the option will NOT be available when performing LDAP authentication.
-
Alexandru commented
Thanks , found it set it and it works
# telnet localhost 7000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Welcome to AXIGEN's Command Line Interface
You must login first. For a list of available commands, type HELP
<login> user admin
<admin-password-here>
For a list of available commands, type HELP
+OK: Authentication successful<#> CONFIG SERVER
+OK: command successful<server#> SET allowAliasLogins no
+OK: command successful<server#> COMMIT
committing changes and switching back to previous context.
+OK: command successful<#> SAVE CONFIG
+OK: command successful<#> exit
WARNING: all changes made and not committed are lost
connection to AXIGEN closing.
+OK: have a nice day
Connection closed by foreign host. -
AdminGabriel (PM, Axigen) commented
It's a new server level option, so after you authenticate via CLI:
---
+OK: Authentication successful
<#> config server
+OK: command successful
<server#> help
...
SET [allowAliasLogins <yes|no>] - Allow/Prevent logins using alias account or domain names
...---
-
Alexandru commented
In which context was this option added in the CLI ?
-
Alexandru commented
Hi,
Please add possibility to disable login with account aliases , as this in my opinion could be security issue.
If you check the interwebs there are data breaches almost every day where email addresses are disclosed or even worst passwords and other personal data.So i have my account id (a random string for me actually, much like the temporary aliases generated by axigen) which should be used for authentication and only that.
Back to the breaches, as i said i have the main email id (account) as a random string , and use regular aliases for websites when signing up, the problem is that these aliases can be used for brute force, since you can login with them and there's no 2FA yet.That's a major issue if you ask me.
Please consider fixing this with urgency.
Thank you!