Hello,
I'm a former Zarafa/Kopano & mailpiler user, and was happy to see piler got into Grommunio as groarchive.
So far so good, I used to have a admin@local
and a auditor@local
user in piler.
From what I've seen, groarchive has these two users too in the database.
But I am not able to find the passwords for these users.
Which makes me worry if there are default passwords for any groarchive setup.
So I've (quickly) read the setup script, found the corresponding default passwords, and noticed that indeed those are generic passwords which aren't changed at setup time.
It's not my first rodeo, but I'd expect an install process to never leave default passwords, especially when it already does for admin/mysql passwords.
I've not found any mention of the auditor@local
account in the grommunio docs (googled around, maybe I'm wrong).
Security wise, it scares me a bit that I might deploy this solution using default passwords without my knowledge.
Am I missing some important step where it says "please change those passwords" or are my concerns genuine ?
If so, I am willing to make a PR to correct this for the grommunio setup script.
Best regards.