So I've done something I didn't want to do: deployed a PHP-based webmail client on my server. There doesn't seem to be a stable, currently-maintained webmail client that isn't PHP.
Sure, enough, less than one day later, the logs are filled with attempts to run PHP remote exploits against it from all over the world.
Yes, I'm running an updated PHP: version 8.1 But am I really supposed to just assume that any and all attacks will fail? PHP has a TERRIBLE security record: historically it's more attack surface than functionality.
So I'm probably going to have to compromise and write something along the lines of the old port-knocking trick to enable the webmail interface when I need it, and turn it off again when I'm done.
I'm still boggled by the fact that nobody ever considers using a serious professional platform designed for grownups when writing webmail clients.
OTOH I can just put basic http auth in front of it. I mean that's double-authentication the first time but one can just save that login and never see it again in any given browser.
... aaaand done.