[Dovecot] Accessing plain text password from memory

Rick Romero rick at havokmon.com
Fri Dec 13 19:09:09 EET 2013


As long as you're not claiming that you can't access the data, then I  
won't get uppity :)

Though I honestly don't see any advantage to the approach you're  
taking.  It was useless for Lavabit, it's a poor method that's not  
going to fair any better under anyone else's watch.  Why not just zip  
all the files up and rename the extension? That'll be 'difficult' to  
defeat too, and the plugins already exist. A rogue agent with local  
access will be able to access the mailboxes, encrypted or not. Are you  
running a FAM? Centralized SIEM? If not, they just set the debug flag  
and reload the service without you ever even knowing.

IMHO, your time is better spent creating a PGP plugin that uses public  
keys to encrypt the email contents.
Of course you lose indexing and searches..  It's just _not_ going to  
be secure if a local service can decrypt the data.

I agree the core problem is SMTP. I'd be willing to use a new email  
protocol as well, but I don't have high hopes from 'that' group.  It's  
like they've got Einstein and PT Barnum...

Rick

Quoting Stanislas SABATIER <s.sabatier at pobox.com>:

> Hi rick,
>
> I DO want to encrypt/decrypt mails on the fly without «lying » to my
> customers.
>
>
> It's better to have encrypted mail that are difficult to decrypt than plain
> text files within plain text folders. (Yes, it would be possible to get the
> user password on the fly, but my system is not design this way)
>
> I agree that it's not panacea, but it's better than no encryption at all.
> Isn't it ?
>
> As soon as a new email protocol will be available, I'll be the first to
> switch to it !
>
> Regards,
> Stan.
>
>
> ---------------------------------------------------------------
> Stanislas SABATIER
> s.sabatier at pobox.com
> ---------------------------------------------------------------
>
>
>
> 2013/12/13 Stanislas SABATIER <s.sabatier at pobox.com>
>
>> Is there a way to retrieve the client's password in plain text from memory
>> ?
>>
>> I don't store the password in plain text in my postgreSQL but I need it
>> when the client is connected to make crypto computation.
>>
>> If I write a plugin to do the job, how could I retrieve the plain text
>> password from master ?
>>
>> Thank you for your help,
>>
>> Regards,
>> Stan.
>>
>> ---------------------------------------------------------------
>> Stanislas SABATIER
>> s.sabatier at pobox.com
>> ---------------------------------------------------------------
>>
>>





More information about the dovecot mailing list