Dovecot mail-crypt webmail can't read encrypted messages
Bernardo Reino
reinob at bbmk.org
Sun Oct 9 16:10:27 UTC 2022
On Sun, 9 Oct 2022, Serveria Support wrote:
> So this means passwords cannot be masked/hidden in the logs? You realize that
> it actually defeats the whole idea of encrypted storage? It's useless. I can
> think of lots of scenarios: malicious system administrator reading users
> mails and blackmailing them or selling their business secrets to competitors,
> corrupt law enforcement in some countries getting rid of political or
> business opponents by disclosing the contents of their mails and I can go on
> and on and on... There is no such thing as semi-privacy. Privacy is either
> there or it's not.
If your attack scenario includes somebody owning your server, nothing prevents
them from compiling/installing a custom version of dovecot (or any other tool
you may be using, like PAM, etc.) which dumps the passwords in clear text to a
suitable file, pipe, or socket.
So good luck with that requirement..
Cheers,
Bernardo
More information about the dovecot
mailing list