Manuel makes an extremely valid point here, and I would back up this request and ask that sub-administrator accounts be subject to rules set by the SmarterMail admin account when the domain is created.
Current, any additional admin account can do anything the primary administrator account can do, including changing the primary domain administrator's password.
Secondary domain administrators can also delete the primary administrator account.
This issue needs to be addressed ASAP! At the very least:
- Secondary domain administrators should NOT be able to change the primary domain administrator account passwords.
- Secondary domain administrators should NOT be able to delete the primary domain administrator account.
I would take this so far as to propose additional "administrative levels."
- Primary administrator: create and delete user accounts; change passwords; create, enable and disable CUSTOM CSS and COLOR for entire domain;
- Second level administrator: create and delete user accounts; change passwords on all accounts -- with the EXCEPTION of the primary administrator; can modify newsletters created, and administrated by, all Mailing list administrators;
- Third level administrator: change passwords on third level accounts only; no user creation, deletion or modification; can modify newsletters created and administrated by all Mailing list administrators;
- Mailing list administrator: can create, modify and delete ASSIGNED mailing lists only; no user creation, deletion or modification; no password changes; no modifications to any mailing lists except those to which he or she is assigned.
The above listed security levels are suggestions only.
EDIT NOTE: Items #2, #3 and, #4 were edited on 2014/10/09 at 0749 hours CDT
Other SmarterMail administrators may have additional administrative level security suggestions, but lower level administrator accounts should never be able to modify or compromise the integrity of any higher level administrative level account.
Thanks, in advance, SmarterTools, for delving further into this very important issue.
Phonr: (773) 491-9019
Phone: (224) 444-0169
E-Mail and DNS Security Specialist
Network Security Specialist
Customer Service Portal: https://portal.chicagonettech.com
Security Blog: http://networkbastion.blogspot.com/
Web and E-Mail Hosting, E-Mail Security and Consulting