Djigzo uses the "From:" header of the mail to decide which sender
certificate to use. As the header is set by the MUA it is prone to
spoofing and therefore the decision which certificate to use may be
wrong. What is the reason to use the header in this case and not the
envelop sender (MAIL FROM) as it is the case for the recipient?
The database potentialy hold the private keys used for signing and
decryption and should therefore be secured as much as possible. In the
standard installation a default password is used and no obvious
warning is in the documentation that on should at least prevent remote
access to PostgreSQL. This is default for PostgreSQL in some cases but
not in all. If one change the password in hibernate.cfg.xml this file
is world-readable at least when installed by .deb files. Is it
possible to do the following change: Include a warning to protect
access with the Djigzo DB-user and maybe a option to use access
control based on the OS user which is "djigzo" anyway (local socket)
so no handling with passwords is required for the DB.
Is there any documentation which ports are used and what they are used
for? We have the following ports after std. .deb install:
15012 (localhost) --> no problem
9000 (*) --> ??
10025 (*) --> James Mailinput
8443 (*) --> Web-Interface
8282 (*) --> ??
So two ports might be unused but open.