[Dovecot] Detail improvement: %c variable

Hadmut Danisch hadmut at danisch.de
Sun Feb 23 23:23:54 UTC 2014


On Sun, Feb 23, 2014 at 11:37:55PM +0100, Reindl Harald wrote:
> 
> what headache?


The one I've described. 


> 
> how do you imagine a man-in-the-middle-attack on 127.0.0.1


You're confusing the different attacks. This has nothing to do with a
man-in-the-middle. This is against a passive eavesdropper,
e.g. someone watching people entering the password at a web interface,
or a keylogger on an unreliable computer. 




> > Please add a configuration variable to configure, whether %c
> > should become "secured" for unencrypted traffic on the loopback
> > device (localhost)
> 
> to gain exactly what?

to gain different LDAP filter strings for IMAP requests coming from
outside encrypted with SSL/TLS and unencrypted IMAP requests on
localhost. 





> frankly for practical usage epect debugging even a fallback to
> no encryption at all on loopback would be sane and for the
> sake of reduce useless overhead fine

It is never a good idea to lower security in favor of easy
debugging. That's why I propose a switch to turn this behaviour on and
off. 


Hadmut
 




More information about the dovecot mailing list