|
|
If security isn't a concern for you, it really should be; security is one of those things that if you don't pay attention to, you may really pay for it later. With Mojo Mail, your top security issues are:
The last reason is the most important; your subscribers most likely gave you their email addresses in confidence; it's your obligation to keep them secure.
To start out, there are NO known backdoors in Mojo Mail; not even ones we may have put in for, um, security purposes. There is no way to log into a list without knowing either the list password or the root password.
I suggest that you keep current on the latest versions of Mojo Mail, either through the version check feature in the list control panel, or through an email list.
You may have noticed that your Mojo Root Password, by default, is very easy to read in the config file. Now, you shouldn't be able to see the .mojo_config, or the Config.pm file from your web browser, but you may have the root password set in an outside file, or for some reason, the Config.pm file is easily viewable. Whatever the case is, encrypt that sucker. This takes a few steps, but is entirely worth it. I never install a copy of Mojo Mail without doing this step.
Mojo Mail comes with a simple utility to encrypt passwords. Try going to:
http://yoursite.com/cgi-bin/mojo/mojo.cgi?f=pass_gen
You'll be presented with a form that allows you type in a password which it will then encrypt. Use this encrypted password as your root password AND set the variable, $ROOT_PASS_IS_ENCRYPTED to '1' It is not possible to use this form to facilitate guessing your root password.
$ROOT_PASS_IS_ENCRYPTED = 1;
All list passwords are encrypted by default and there really is no way to decrypt them, except guessing every different combination.
Remember, you can log into any list using the Mojo Root Password, and possibly be able to access more features.
This may seem like a simple thing, but hiding the link to the Administration link on the Main mojo.cgi screen may stop a curious person from trying anything further. This is as easy as setting the $SHOW_ADMIN_LINK variable to '0';
$SHOW_ADMIN_LINK = 0;
Poof. No more administrator link. You can still get to the administration screen by going to the URL:
http://yoursite.com/cgi-bin/mojo/mojo.cgi?f=admin
You can tell which IP addresses have access to Mojo Mail's administration sections. Set which computers that have the proper IP addresses in the @ALLOWED_IP_ADDRESSES array:
@ALLOWED_IP_ADDRESSES = qw(
127.0.0.1
123.456.67.678
215.234.56.9
783.456.9.2
);
You cannot use pattern matching when listing these addresses.
Do not, under any circumstances, save any of your list information under your public html directory. This means that anyone with a web browser and some time to snoop will find your list files. Bad idea. Put them somewhere other than under your public html directory, perhaps in your home directory. On Unix systems, files and directories that begin with a dot '.' are not shown in some programs that view directories, like the 'ls' command, web browsers and many FTP programs. Although there are simple ways around this little convention, it doesn't hurt to practice it. This is how we set up Mojo Mail in the Advanced Installation Chapter.
You also want to set the permissions of any directories that hold Mojo Mail list information to the lowest possible. Sadly, to function properly, this may mean setting the permissions to '777'. Ask your sys admin if there is any way you can store your list information in a different, more secure location or, if you can set the permissions to these directories lower. I usually set any directories with Mojo Mail information in them at '644'. Which allows people to view files, but they cannot create new files or edit/delete the ones there.
I know my hosting environment and know what kind of access other people have to my account. For instance, I know when you're logged into an account on the server via FTP you can only view and navigate your home directory, nothing above. It's good to do your homework on the hosting company and see what they offer for general account security.
You may also find that saving your list subscribers in an SQL database will provide more security. SQL servers themselves usually require a different password for access to them.
The Mojo Mail Magic Book Index
The Mojo Mail Magic book is Copyright © 2003 Justin Simoni