You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which feature or improvement would you like to request?
I'd like to see this feature:
At present, when using Stalwart's (brilliant) feature to get LetsEncrypt certificates its HTTP (+HTTPS?) interfaces must be exposed to the whole world. From a security perspective this is undesirable - Stalwart installations will get indexed by Google et al, so if ever there's a vulnerability they'll be easy to find and exploit.
That's not just a theoretical concern - two people's Stalwart installations already show up on Google:
To prevent this it'd be nice to have:
A /robots.txt discouraging search engines from indexing Stalwart installations
A setting to restrict IP ranges that can connect to the web interface
Hits to /.well-known will need to bypass the restriction as LetsEncrypt don't publish the IP ranges their challenges come from.
Is your feature request related to a problem?
I'm having a problem with...
Code of Conduct
I agree to follow this project's Code of Conduct
The text was updated successfully, but these errors were encountered:
Obscurity ain't so bad!
I wouldn't want to worry about one more attack vector either. Ideally, I wouldn't even want to host the webadmin on the same server.
But there is already a change that is cooking for this exact purpose AFAIK.
Which feature or improvement would you like to request?
I'd like to see this feature:
At present, when using Stalwart's (brilliant) feature to get LetsEncrypt certificates its HTTP (+HTTPS?) interfaces must be exposed to the whole world. From a security perspective this is undesirable - Stalwart installations will get indexed by Google et al, so if ever there's a vulnerability they'll be easy to find and exploit.
That's not just a theoretical concern - two people's Stalwart installations already show up on Google:
To prevent this it'd be nice to have:
/robots.txt
discouraging search engines from indexing Stalwart installationsHits to
/.well-known
will need to bypass the restriction as LetsEncrypt don't publish the IP ranges their challenges come from.Is your feature request related to a problem?
I'm having a problem with...
Code of Conduct
The text was updated successfully, but these errors were encountered: