SECURITY.txt 1.5 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344
  1. Security and PostfixAdmin
  2. -------------------------
  3. While the developers of PostfixAdmin believe the software to be
  4. secure, there is no guarantee that it will continue to do be so
  5. in the future - especially as new types of exploit are discovered.
  6. (After all, this software is without warranty!)
  7. In the event you do discover a vulnerability in this software,
  8. please report it to the development mailing list, or contact
  9. one of the developers directly.
  10. DATABASE USER SECURITY
  11. ----------------------
  12. You may wish to consider the following :
  13. 1. Postfix only requires READ access to the database tables.
  14. 2. The virtual vacation support (if used) only needs to WRITE to
  15. the vacation_notification table (and read alias and vacation).
  16. 3. PostfixAdmin itself needs to be able to READ and WRITE to
  17. all the tables.
  18. 4. PostfixAdmin's setup.php additionally needs permissions to CREATE
  19. and ALTER tables in the PostfixAdmin database. For PostgreSQL, also
  20. permissions for CREATE FUNCTION and CREATE TRIGGER are needed.
  21. In other words: setup.php needs all permissions on the PostfixAdmin
  22. database.
  23. Using the above, you can improve security by creating separate
  24. database user accounts for each of the above roles, and limit
  25. the permissions available to them as appropriate.
  26. FILE SYSTEM SECURITY
  27. --------------------
  28. PostfixAdmin does not require write support on the underlying
  29. filesystem with the following exceptions:
  30. - the templates_c directory where Smarty caches the templates
  31. - PHP's session.save_path to store session files