Creation of Alias as "admin email id" for admin email id should be forbidden?
dcRUSTy opened this issue · 2 comments
https://github.com/r0hi7/Trashemail/blob/fcb1903e55a8e53026918e23f58ee94e545c101d/src/main/resources/application.yml#L10 A user can create alias "contact@trashemail.in" for admin email id "contact@trashemail.in" and get incoming mail on telegram. Security Issue?
@dcRUSTy thanks for pointing this out, but there is a catch(or many).
First of all, its the responsibility of admin to take of the fact no one should be able to get such alias to admin account, so in my current deployment with mailinabox I have not set target alias to any admin account.
Secondly, there could be multiple admin email accounts on the server, which will not be available to this service at all, so keep track of just one makes no sense.
Thirdly, in the current scenario, the mail sever will simply reject that incoming request to create alias for admin account and will throw response to TG client as Email already taken.
Do let me know if I have understood your question correctly. Right now marking it as wont fix and closing.
I thought admin email was "contact@trashemail.in" if not all righty then :)
