[Dovecot] Accessing plain text password from memory

Rick Romero rick at havokmon.com
Fri Dec 13 17:05:14 EET 2013


Quoting Stanislas SABATIER <s.sabatier at pobox.com>:

> Is there a way to retrieve the client's password in plain text from memory ?
>
> I don't store the password in plain text in my postgreSQL but I need it
> when the client is connected to make crypto computation.

Hi Stan,

I hope you're not trying to copy Lavabit.  Saying you don't have  
access to mailbox contents on your own equipment would be a flat out  
lie.

1. You have the password in memory.  Simply set the debug flags and  
you can retrieve the password, as Lavabit did, to decrypt the mailbox.  
  Their claim of 'our policy is not to run in debug mode, therefore we  
can't access your data' is not actually a form of security.
2. SMTP is in plain text.  After the existing mail is read, any  
incoming or outgoing mail is easily CC'd to a 'monitoring' mailbox  
based on SMTP Auth or RCPT TO.

If it's not mailbox encryption, sorry (you have no idea how much I  
detest that Lavabit guy for his lies), but if it is then it's nothing  
more than a programming exercise.

Rick



More information about the dovecot mailing list