Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. App Passwords per mailbox

App Passwords per mailbox

Scheduled Pinned Locked Moved Feature Requests
3 Posts 3 Posters 643 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by marcusquinn
    #1

    When using an App Password for a Group mailbox, it effectively also could be used for access to the main user mailbox too.

    I'm not too sure on the best solution, perhaps app passwords per-mailbox?

    The point is that currently they could provide a false sense of security, especially if saved into a DB that doesn't store encrypted or the app passwords are shared for a group mailbox setup without realising they can provide access to any of that user's permitted mailboxes.

    Personal mailboxes are a high-value attack vector for their ability to then reset any passwords connected to that email, hence I think this needs a bit more thought.

    Web Design https://www.evergreen.je
    Development https://brandlight.org
    Life https://marcusquinn.com

    ? 1 Reply Last reply
    3
    • marcusquinnM marcusquinn

      When using an App Password for a Group mailbox, it effectively also could be used for access to the main user mailbox too.

      I'm not too sure on the best solution, perhaps app passwords per-mailbox?

      The point is that currently they could provide a false sense of security, especially if saved into a DB that doesn't store encrypted or the app passwords are shared for a group mailbox setup without realising they can provide access to any of that user's permitted mailboxes.

      Personal mailboxes are a high-value attack vector for their ability to then reset any passwords connected to that email, hence I think this needs a bit more thought.

      ? Offline
      ? Offline
      A Former User
      wrote on last edited by
      #2

      @marcusquinn I think a good way to go about this is to keep the top level app passwords but add the ability to restrict them to specific apps/api endpoints/mailboxes one has access to.

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        I think this feature makes sense. Just like we can restrict app passwords to specific apps, we want to extend the functionality to restrict to specific mailboxes.

        1 Reply Last reply
        2
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes


        • Login

        • Don't have an account? Register

        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • Recent
        • Tags
        • Popular
        • Bookmarks
        • Search