Best way to delegate the management of email users (creation, password change and deletion)

Any ideas about the best way to delegate only the management of email users (creation, password change, deletion etc) of a particular domain?

AFAIK HestiaCP doesn’t support fine-grained ACLs like e.g. Virtalmin (see features), so how would you allow another person to manage a domain’s emails without also granting full access to all the rest of HestiaCP services (Web, DBs etc) ?

Would you choose to create a custom web-app hosted on the same HestiaCP server that performs those changes over HestiaCP’s API (or even directly, by changing the flat files on disk)?

Or maybe something with xmlrpc or json ?

Thank you in advance for your insights!

Why not have the email on a different server?

That’s the way I work.

1 server for DNS + email
N servers for web hosting

Directly editing flat files is a bad idea … As it would require root access

Probally api is the easiest method.

Maybe grant access with an appropriate sudoers.d config?

I will have to check which functions the API exposes wrt user mgmt …

API exposes all v-* endpoints

You can even do more things via api then via the Web GUI

(That is why we locked it down a lot recently)

Are you referring to this commit

or have there been other changes that I missed?


Yes, Also stricter policy when 5x wrong key is enter it will ban.
Allow access via certain ips only enabled by default
And so on …

I see … bin/v-check-api-key logs failed attempts in $HESTIA/log/auth.log

and fai2ban/jail.local includes a rule to ban after 5 failures (either WebGUI or API)

enabled  = true
filter   = hestia
action   = hestia[name=HESTIA]
logpath  = /var/log/hestia/auth.log
maxretry = 5

Currently I don’t use HestiaCP’s firewall + nor fail2ban, because I still prefer my own iptables setup with several ipsets. I just hope that HestiaCP won’t ever change my iptables ruleset by accident :smiley:

Btw a interesting tool which can complement fail2ban is CrowdSec