Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Mon Oct 10 08:03:28 UTC 2022
Hi, thanks, this sounds like a great idea! Will try this and let you
guys know...
On 2022-10-10 10:52, George Asenov wrote:
> Dovecot is opensource so you can download source edit the log format
> removing the passwords and compile it.
>
> On 09-Oct-22 8:47 PM, Serveria Support wrote:
>> Like I've already mentioned in my reply to Aki, I generally agree, but
>> many of these methods require much time and expertise some bad guys
>> don't have. You can also bruteforce the passwords but it can take
>> years. With passwords showing in logs all they need to do is make a
>> few clicks and enable auth logging. In most cases the attacker is
>> really short on time and needs to act fast, before he is detected and
>> locked out of the system.
>>
>> On 2022-10-09 19:10, Bernardo Reino wrote:
>>> On Sun, 9 Oct 2022, Serveria Support wrote:
>>>
>>>> So this means passwords cannot be masked/hidden in the logs? You
>>>> realize that it actually defeats the whole idea of encrypted
>>>> storage? It's useless. I can think of lots of scenarios: malicious
>>>> system administrator reading users mails and blackmailing them or
>>>> selling their business secrets to competitors, corrupt law
>>>> enforcement in some countries getting rid of political or business
>>>> opponents by disclosing the contents of their mails and I can go on
>>>> and on and on... There is no such thing as semi-privacy. Privacy is
>>>> either there or it's not.
>>>
>>> If your attack scenario includes somebody owning your server, nothing
>>> prevents them from compiling/installing a custom version of dovecot
>>> (or any other tool you may be using, like PAM, etc.) which dumps the
>>> passwords in clear text to a suitable file, pipe, or socket.
>>>
>>> So good luck with that requirement..
>>>
>>> Cheers,
>>> Bernardo
>>
More information about the dovecot
mailing list