Dovecot mail-crypt webmail can't read encrypted messages
George Asenov
george.asenov at wpx.net
Mon Oct 10 07:52:14 UTC 2022
Dovecot is opensource so you can download source edit the log format
removing the passwords and compile it.
On 09-Oct-22 8:47 PM, Serveria Support wrote:
> Like I've already mentioned in my reply to Aki, I generally agree, but
> many of these methods require much time and expertise some bad guys
> don't have. You can also bruteforce the passwords but it can take years.
> With passwords showing in logs all they need to do is make a few clicks
> and enable auth logging. In most cases the attacker is really short on
> time and needs to act fast, before he is detected and locked out of the
> system.
>
> On 2022-10-09 19:10, Bernardo Reino wrote:
>> On Sun, 9 Oct 2022, Serveria Support wrote:
>>
>>> So this means passwords cannot be masked/hidden in the logs? You
>>> realize that it actually defeats the whole idea of encrypted storage?
>>> It's useless. I can think of lots of scenarios: malicious system
>>> administrator reading users mails and blackmailing them or selling
>>> their business secrets to competitors, corrupt law enforcement in
>>> some countries getting rid of political or business opponents by
>>> disclosing the contents of their mails and I can go on and on and
>>> on... There is no such thing as semi-privacy. Privacy is either there
>>> or it's not.
>>
>> If your attack scenario includes somebody owning your server, nothing
>> prevents them from compiling/installing a custom version of dovecot
>> (or any other tool you may be using, like PAM, etc.) which dumps the
>> passwords in clear text to a suitable file, pipe, or socket.
>>
>> So good luck with that requirement..
>>
>> Cheers,
>> Bernardo
>
--
Warm regards
George A.
WPXHosting
More information about the dovecot
mailing list