Mail accounts with access to WP Toolkit

[Duarte N]

Server operating system version

Windows Server 2022

Plesk version and microupdate number

Plesk Obsidian v18.0.56

Hi everyone,

When creating an email account, by default the "Can be used to log in to Plesk" box is checked.

If left checked, the created user has the role of "application user" and if they log in to plesk they have access to the WP Toolkit and manage the website in this way.

On the other hand, in the "application user" role there are no permissions relating to the WP Toolkit.

This situation concerns us in terms of security.
First, the option "Can be used to log in to Plesk" should not be enabled by default.
Second, what really worries us, you should not have access to the WP Toolkit unless this is explicitly allowed in the role.

 

[Kaspar]

You're right, I don't think application users should have access to the WPT by default. I've created a bug report for this issue.

First, the option "Can be used to log in to Plesk" should not be enabled by default.

I agree with you on this one. Sadly a feature request to change this has been turned down.

 

[Maarten]

A couple of weeks ago, I discussed with Plesk Support the role a mail user gets when it is created. That should be a Mail User, not an Application User. That role doesn't exist but can be created easily. It only needs access to the spam filter and antivirus settings.

When creating the mail account, you can use the Event Manager with the 'Mail Account Created' event to change the role using a script.

Here is a step-by-step instruction:

1. Create a script, for example # touch /usr/local/psa/bin/script.sh
2. Change the permission with # chmod 655 /usr/local/psa/bin/script.sh
3. Edit the script and add the following content:

!/bin/bash
plesk bin user --update ${NEW_MAILNAME} -role 'Mail User'

After creating the script, go to Plesk > Tools & Settings > Event Manager > Add Event Handler and add the path to the script in the command box, for example: ./usr/local/psa/bin/script.sh

Now, on email creation, the role will be updated to 'Mail User'

 

[Maarten]

By the way, I have two Plesk servers with mail accounts that do have that Mail User role. I'm sure I didn't create them. It must have been a role that that particular Plesk version used at that time. However, I couldn't find any reference in the docs, and neither could Plesk Support.
My guess is that somewhere in the past, the mail account role changed from Mail User to Application User upon creation of a mail account.

 

[Duarte N]

In our case, mail users don't even know that Plesk exists. A hosting control panel is to be used by the hosting client, who manages the service and passes parameters to end users (be it the URL to access webmail or data to configure Outlook, etc.).

We are polluting the Plesk database with users who will never log in to Plesk and, more seriously, increasing the attack surface of the mail service.

Furthermore, this most recent bug warns of other potential risks.

I made a script that deletes user from the smb_users table and puts userId=0 in the mail table. But it's not an approach I recommend and I'm just testing it. @Maarten's solution is more secure, but it irritates me to see a database with hundreds of users that shouldn't exist. Ideally, the user would not even be created.