[doublerabbit]

That it was running from the root directory.

Tell me you hadn't planned to keep it in /root/?

If anyone uploaded a malicious file, they could potentially gain access to the whole system.

Especially as this is an email client that allows attachments.

[kq4gvp]

I haven’t planned to keep it in /root. It ran as a separate user, but in that directory. Plus that thing only contains the homepage and the form, not emails, accounts, attachments, etc. That’s also ran as a separate user (as mailcow is dockerised)