Nero-XY
commented
7 months ago Is there any way we can integrate a non-default-password for the setup process in the foreseeable future? I would be happy to help testing and/or provide a server to test :)
Open Nero-XY opened 1 year ago
Nero-XY
commented
7 months ago Is there any way we can integrate a non-default-password for the setup process in the foreseeable future? I would be happy to help testing and/or provide a server to test :)
Summary
When installing mailcow, the default user is
"admin"with the password"moohoo". For improved security it would be better to use a random or custom password. The password could either be generated and shown to the user while the installation script runs, or it could be set by the user in a config file e.g.mailcow.conf. The approach where a random password is generated and displayed to the user is already used by themailcow-reset-admin.shscript.Motivation
When a server is accessible over the internet, it gets constantly attacked. One form of these attacks is trying to brute force logins. A attacker could tailor a attack to try publicly known default credentials. This increases the risk that an attacker could gain access to a freshly installed mailcow instance before the user had the chance to change the default password.
Additional context
Here are two rather old pull requests that asked for the same thing: https://github.com/mailcow/mailcow-dockerized/issues/1245 https://github.com/mailcow/mailcow-dockerized/pull/1247