starred/modoboa-modoboa

Fork 0

mirror of https://github.com/modoboa/modoboa.git synced 2026-04-25 00:46:03 +03:00

[GH-ISSUE #2688] [Feature] enable admins to see user mailbox #1680

New issue

Open

opened 2026-02-27 11:18:31 +03:00 by kerem · 7 comments

kerem commented

2026-02-27 11:18:31 +03:00

Owner

Originally created by @dakolta on GitHub (Nov 11, 2022).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/2688

Impacted versions

OS Type: Debian/Ubuntu
OS Version: 4.19.260-1
Database Type: PostgreSQL
Database version: 11.18 (Debian 11.18-0+deb10u1)
Modoboa: 2.0.2
installer used: Yes
Webserver: Nginx

When logging in web interface returns the error "Your username and password didn't match. Please try again."

Being able to log into the web interface as the master user to view a users mailbox. I have been able to do this using other web mail servers, i.e. iRedMail, Roundcube, SoGo, etc.

Originally created by @dakolta on GitHub (Nov 11, 2022). Original GitHub issue: https://github.com/modoboa/modoboa/issues/2688 # Impacted versions * OS Type: Debian/Ubuntu * OS Version: 4.19.260-1 * Database Type: PostgreSQL * Database version: 11.18 (Debian 11.18-0+deb10u1) * Modoboa: 2.0.2 * installer used: Yes * Webserver: Nginx # Create new user and check "Allow mailbox access", set email address. Try login in using format of "user@foo.com*mailboxadmin@foo.com" and the password for mailboxadmin@foo.com. # When logging in web interface returns the error "Your username and password didn't match. Please try again."  # Being able to log into the web interface as the master user to view a users mailbox. I have been able to do this using other web mail servers, i.e. iRedMail, Roundcube, SoGo, etc. # <img width="440" alt="Screen Shot 2022-11-11 at 12 58 12 PM" src="https://user-images.githubusercontent.com/18648939/201423503-e91de432-6663-4853-a2cf-5ecb4d4f57e9.png">

kerem added the

enhancement

label

2026-02-27 11:18:31 +03:00

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@Spitfireap commented on GitHub (Nov 11, 2022):

Hi, there is an issue with this installer, could you edit /etc/dovecot/conf.d/10-ssl.conf : replace !include_try = /etc/dovecot/conf.d/10-ssl-keys.try by !include_try /etc/dovecot/conf.d/10-ssl-keys.try. then type sudo service dovecot restart.

@Spitfireap commented on GitHub (Nov 11, 2022): Hi, there is an issue with this installer, could you edit ``/etc/dovecot/conf.d/10-ssl.conf`` : replace ``!include_try = /etc/dovecot/conf.d/10-ssl-keys.try`` by ``!include_try /etc/dovecot/conf.d/10-ssl-keys.try``. then type ``sudo service dovecot restart``.

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@dakolta commented on GitHub (Nov 11, 2022):

I do not have that line in that file and I do not see the /etc/dovecot/conf.d/10-ssl-keys.try file in the directory.
This is the contents of the /etc/dovecot/conf.d directory:

@dakolta commented on GitHub (Nov 11, 2022): I do not have that line in that file and I do not see the /etc/dovecot/conf.d/10-ssl-keys.try file in the directory. This is the contents of the /etc/dovecot/conf.d directory: <img width="1441" alt="image" src="https://user-images.githubusercontent.com/18648939/201433090-de187a36-636b-4b38-b730-8a729c5cc245.png">

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@Spitfireap commented on GitHub (Nov 13, 2022):

okay sorry I misunderstood. The feature is not yet implemented in modoboa.

@Spitfireap commented on GitHub (Nov 13, 2022): okay sorry I misunderstood. The feature is not yet implemented in modoboa.

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@tomas-kucera commented on GitHub (Jan 8, 2023):

Hi there, there are two parts into using master account:

ability to use Modoboa Webadmin to "peak" into users' mailboxes - this one I personally do not miss 😉
ability to connect (for example using Python's imaplib) to the users' mailboxes using master account for example for bulk mailboxes migrations:
- this one is actually perfectly possible
- it requires to have enabled Allow Mailboxes Access on the SuperAdmin identity
- if the SuperAdmin does not have email (which normally does not have), the login is not possible as the search is using the login name / username as email, which for standard users it is usually identical, but for the SuperAdmins it is empty and thus the record is never found and thus not authenticated
- there are two way to get around it: you can manually update the core_user DB record for the SuperAdmin(s) filling the usernames into the emails (tested and it si working, but I do not like this one though) or
- in /etc/dovecot/dovecot-sql-master.conf.ext configuration file within the line password_query = SELECT email AS user, password FROM core_user WHERE email='%u' and is_active and master_user replace the email (twice) with username and restart dovecot (maybe reload is enough too)
- now it is possible to do for example this using the imaplib:

import imaplib

# for non-SSL conenctions
mailbox = imaplib.IMAP4(host='mail.domain.tld', port=143)

# for SSL connections
mailbox = imaplib.IMAP4_SSL(host='mail.domain.tld', port=993)
typ, data = mailbox.login('first.last@domain.tld*admin', 'password')

print(mailbox.list())

mailbox.close()
mailbox.logout()

The password_query could also be more sophisticated, such as:

password_query = SELECT username AS user, password FROM core_user \
  WHERE (username='%u' or email='%u') and is_active and master_user

BTW Should @Spitfireap be OK with this (I have not found any issues after this change), I would create a PR for this. 😉

@tomas-kucera commented on GitHub (Jan 8, 2023): Hi there, there are two parts into using master account: - ability to use Modoboa Webadmin to "peak" into users' mailboxes - this one I personally do not miss 😉 - ability to connect (for example using Python's imaplib) to the users' mailboxes using master account for example for bulk mailboxes migrations: - this one is actually perfectly possible - it requires to have enabled Allow Mailboxes Access on the SuperAdmin identity - if the SuperAdmin does not have email (which normally does not have), the login is not possible as the search is using the login name / username as email, which for standard users it is usually identical, but for the SuperAdmins it is empty and thus the record is never found and thus not authenticated - there are two way to get around it: you can manually update the core_user DB record for the SuperAdmin(s) filling the usernames into the emails (tested and it si working, but I do not like this one though) or - in `/etc/dovecot/dovecot-sql-master.conf.ext` configuration file within the line `password_query = SELECT email AS user, password FROM core_user WHERE email='%u' and is_active and master_user` replace the email (twice) with username and restart dovecot (maybe reload is enough too) - now it is possible to do for example this using the imaplib: ```python import imaplib # for non-SSL conenctions mailbox = imaplib.IMAP4(host='mail.domain.tld', port=143) # for SSL connections mailbox = imaplib.IMAP4_SSL(host='mail.domain.tld', port=993) typ, data = mailbox.login('first.last@domain.tld*admin', 'password') print(mailbox.list()) mailbox.close() mailbox.logout() ``` The `password_query` could also be more sophisticated, such as: ```sql password_query = SELECT username AS user, password FROM core_user \ WHERE (username='%u' or email='%u') and is_active and master_user ``` BTW Should @Spitfireap be OK with this (I have not found any issues after this change), I would create a PR for this. 😉

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@Spitfireap commented on GitHub (Jan 8, 2023):

Feel free to open a PR. Neither me or @tonioo have worked on this I belive. Just that from my pov. If you are SuperAdmin then you should be able to access the server and simply rsync the whole dovecot folder of your domain...

@Spitfireap commented on GitHub (Jan 8, 2023): Feel free to open a PR. Neither me or @tonioo have worked on this I belive. Just that from my pov. If you are SuperAdmin then you should be able to access the server and simply rsync the whole dovecot folder of your domain...

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@tonioo commented on GitHub (Jan 13, 2023):

That's a feature we could indeed implement in the webmail and I think updating the query is fine for master users.

@tonioo commented on GitHub (Jan 13, 2023): That's a feature we could indeed implement in the webmail and I think updating the query is fine for master users.

kerem commented

2026-02-27 11:18:32 +03:00

Author

Owner

@hazho commented on GitHub (May 28, 2024):

I highly advice not to load any email (from any inbox) on web interface, while the currently authenticated user is master, there are plenty of security vulnerabilities for such action, however, to list the emails and open the email content in a sandboxed interface could be fine (although lot of tests needed), that been said, the master user should always be able to do any programmatical operations over anything (including the mailboxes) but not loading the contents of any email on web)

@hazho commented on GitHub (May 28, 2024): I highly advice not to load any email (from any inbox) on web interface, while the currently authenticated user is master, there are plenty of security vulnerabilities for such action, however, to list the emails and open the email content in a sandboxed interface could be fine (although lot of tests needed), that been said, the master user should always be able to do any programmatical operations over anything (including the mailboxes) but not loading the contents of any email on web)