[Dovecot] Detail improvement: %c variable
Hadmut Danisch
hadmut at danisch.de
Sun Feb 23 23:23:54 UTC 2014
On Sun, Feb 23, 2014 at 11:37:55PM +0100, Reindl Harald wrote:
>
> what headache?
The one I've described.
>
> how do you imagine a man-in-the-middle-attack on 127.0.0.1
You're confusing the different attacks. This has nothing to do with a
man-in-the-middle. This is against a passive eavesdropper,
e.g. someone watching people entering the password at a web interface,
or a keylogger on an unreliable computer.
> > Please add a configuration variable to configure, whether %c
> > should become "secured" for unencrypted traffic on the loopback
> > device (localhost)
>
> to gain exactly what?
to gain different LDAP filter strings for IMAP requests coming from
outside encrypted with SSL/TLS and unencrypted IMAP requests on
localhost.
> frankly for practical usage epect debugging even a fallback to
> no encryption at all on loopback would be sane and for the
> sake of reduce useless overhead fine
It is never a good idea to lower security in favor of easy
debugging. That's why I propose a switch to turn this behaviour on and
off.
Hadmut
More information about the dovecot
mailing list