[Dovecot] checkpassword protocol

Heiko Schlichting dovecot-l at fu-berlin.de
Mon Apr 8 10:00:48 EEST 2013


> Hmm. The AUTH_PASSWORD wasn't really an intentional addition .. but
> I guess it can stay there. Some 10 years ago that might not have been
> such a good idea since there were still some systems where process
> environment variables were readable to all users in the system, but
> I doubt there exist such systems anymore (at least where people would
> want to run Dovecot).

Very optimistic assumption. Wouldn't it be safer to remove the password
from the environment? Anyone using checkpassword should use FD 3 and 4 for
this purpose. Environment variables and command line arguments are not safe
to transport passwords.

Heiko

Heiko Schlichting                Freie Universität Berlin
heiko.schlichting at fu-berlin.de   Zentraleinrichtung für Datenverarbeitung
Telefon +49 30 838-54327         Fabeckstraße 32
Telefax +49 30 838454327         14195 Berlin


More information about the dovecot mailing list