• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk Email Security (PES); email user logs into Plesk, PES page : access denied

T

TomBoB

Silver Pleskian
Username:

TITLE

Plesk with PES; email user logs into Plesk, PES page : access denied

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.52 #2, AlmaLinux 8.7 latest updates

PROBLEM DESCRIPTION

Use Plesk with PES. When email user logs into Plesk to check (and adjust) his security settings, an "access denied" warning shows and the page doesn't load.

STEPS TO REPRODUCE

Use Plesk with PES. Have email account allowed to log in via Plesk login page. Log in. Click in menu "Plesk Email Security."

ACTUAL RESULT

"access denied" and page never loads

EXPECTED RESULT

shows page

ANY ADDITIONAL INFORMATION

(DID NOT ANSWER QUESTION)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Yes, done that. No effect. Still showing "access denied".
Have checked above on 8 production servers - same symptom.
 
The users who are affected, do they have the "create and manage websites" permission? Or are they mail only users? I am asking, because for the security configuration settings, the "create and manage websites" permission is necessary (PPS-13714, PPS-13571).
 
Hi Peter, no they do not have the "create and manage websites" permission. They are mail users only.

>for the security configuration settings, the "create and manage websites" permission is necessary

Ok, that does explain the scenario our clients are encountering.
Please allow me to be a little incredulous...
I'm 100% certain that this used to work for all mail users in the past.

For purpose of testing I've now enabled for a normal email users the "create and manage websites" permission. Result: when they log into Plesk using their email address they can enable/disable all kinds of important settings to do with the hosting. Can't have that under any circumstances !!!

We need it back to how it used to be:
Ordinary email user logs into Plesk using his/her email address. PES option in the menu works. In there the user can change the spam detection level for example, or choose: don't put in spam folder, but rather mark it as spam.
Nothing else.
How do we achieve that?

Please see attached files. One - what we see when logged in as admin. Two - what used to be shown when a normal email user with no other permissions but "Can be used to log in to Plesk" enabled. Now that doesn't show anymore, only the "access denied" error.

IMHO, something with the allocation of permissions went wrong in Plesk. Above used to work nicely, now it doesn't anymore. Hence me filing the bug report.
 

Attachments

  • Plesk email settings admin.jpg
    Plesk email settings admin.jpg
    59.5 KB · Views: 10
  • Plesk email settings email user.jpg
    Plesk email settings email user.jpg
    56.4 KB · Views: 10
We are aware of it, but it is expected behavior. There has been a discussion internally on the topic, but we concluded it needs to be a user request for a feature that users without "create and manage websites" should still have the permission to edit security settings. It is correct that in earlier versions of Plesk this has worked, but it also enabled bad actors to enable themselves for things that the account owner would not want. For security reasons the permission was removed from users who were not also entitled to edit account settings.

If you believe that this should be a separate setting, please formulate it as a feature request on Feature Suggestions: Top (1808 ideas) – Your Ideas for Plesk .
 
Thanks for explaining :) Will pass it on to our clients. They'll just have to go through the sites admin going forward. If explained in a security context they'll accept it. :)
Thanks Peter!
 
I'd like to pick this up again. Just had a call from an "aggravated" client. The way it currently behaves - clicking Plesk Email Security and getting nothing but an forever loading empty page and an alert "access denied" - serves no purpose at all. [Except to have clients wonder what is wrong with the panel].

I'd like to suggest: If the permissions stay as they currently are - normal users can't see those permissions anymore - please hide the "Plesk Email Security" option in the left menu altogether. If the end clients can't see it, they can't click it.
Currently is just causes wasted support time and unhappy clients.
 
You must log in or register to reply here.

Similar threads

P
Outgoing Mail Control permission denied on CentOS
Replies
8
Views
425
Sebahat.hadzhi
Sebahat.hadzhi
T
Forwarded to devs MFA learnMoreURL parameter not working
Replies
1
Views
840
Sebahat.hadzhi
Sebahat.hadzhi
J
Resolved DOMAIN ALIAS - Emails not being forwarded
Replies
1
Views
365
Sebahat.hadzhi
Sebahat.hadzhi
G
Resolved Emails not being blocked by server wide mail settings/blacklist
Replies
4
Views
916
gregconway
G
Azurel
Forwarded to devs After deleting a subdomain, the empty folder remains in the subscription root
Replies
4
Views
480
Azurel
Azurel
Back
Top