Restrict access to /Help/en/index.html | MDaemon Technologies, Ltd.
  1. Forum
  2. MDaemon
  3. Restrict access to /Help/en/index.html

Restrict access to /Help/en/index.html

  • A

    Hello,

    MDaemon provides a default help page at /Help/en/index.html which is publicly accessible.

    Is there any supported way to restrict access to this page, or to require authentication so only logged-in mail users can view it?

    Any guidance or best practice would be appreciated.

    Thanks.

    0 likes
  • A

    Why are you wanting to hide the help?

    What version of MDaemon are you using?

     

     

    --
    Arron Caruth

    0 likes
  • A

    The goal is security hardening.
    Although limited, the public help page exposes the product and release, which allows unauthenticated fingerprinting.

    Since this server is Internet-facing, we’d like to reduce publicly accessible pages that are not required for mail operation.

    We are running MDaemon 25.5.1.

    Is there a supported way to disable the public help pages or restrict them to authenticated WorldClient users only?

    Thanks.

    0 likes
  • A

    There is no way to restrict access when using the built in web server. There are a couple of options available though. 

    1. You can delete the help directory (MDaemon\WorldClient\HTML\Help). Users will also not be able to access the help after you delete it.  The help will be reinstalled the next time you upgrade, so you will need to delete it every time you install a new version. 

    2. Switch to using IIS, and add a URL rewrite rule like the following to the Webmail/Help folder:

    <configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Block Anonymous Help Access" stopProcessing="true">
                    <match url="^[a-zA-Z]{2}/.*\.html$" />
                    <conditions>
                        <add input="{HTTP_COOKIE}" pattern="WCSession" negate="true" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" subStatusCode="67" statusReason="Forbidden" statusDescription="Webmail Login Required" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

    After you've added the rule, set the web.config file in the WorldClient\HTML\Help\ directory to be read only or it will be deleted by the installer.

    You may be able to do something similar to the IIS URL rewrite rule with a proxy if you have one running in front of webmail. 

    --
    Arron Caruth

    0 likes
Please login to reply this topic!