Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Mon Oct 10 18:05:25 UTC 2022
I checked the source code on Github and discussed this with a C
developer. There seem to be too many files... perhaps somebody can guide
me where should I look? Aki?
On 2022-10-10 11:03, Serveria Support wrote:
> Hi, thanks, this sounds like a great idea! Will try this and let you
> guys know...
>
> On 2022-10-10 10:52, George Asenov wrote:
>> Dovecot is opensource so you can download source edit the log format
>> removing the passwords and compile it.
>>
>> On 09-Oct-22 8:47 PM, Serveria Support wrote:
>>> Like I've already mentioned in my reply to Aki, I generally agree,
>>> but many of these methods require much time and expertise some bad
>>> guys don't have. You can also bruteforce the passwords but it can
>>> take years. With passwords showing in logs all they need to do is
>>> make a few clicks and enable auth logging. In most cases the attacker
>>> is really short on time and needs to act fast, before he is detected
>>> and locked out of the system.
>>>
>>> On 2022-10-09 19:10, Bernardo Reino wrote:
>>>> On Sun, 9 Oct 2022, Serveria Support wrote:
>>>>
>>>>> So this means passwords cannot be masked/hidden in the logs? You
>>>>> realize that it actually defeats the whole idea of encrypted
>>>>> storage? It's useless. I can think of lots of scenarios: malicious
>>>>> system administrator reading users mails and blackmailing them or
>>>>> selling their business secrets to competitors, corrupt law
>>>>> enforcement in some countries getting rid of political or business
>>>>> opponents by disclosing the contents of their mails and I can go on
>>>>> and on and on... There is no such thing as semi-privacy. Privacy is
>>>>> either there or it's not.
>>>>
>>>> If your attack scenario includes somebody owning your server,
>>>> nothing
>>>> prevents them from compiling/installing a custom version of dovecot
>>>> (or any other tool you may be using, like PAM, etc.) which dumps the
>>>> passwords in clear text to a suitable file, pipe, or socket.
>>>>
>>>> So good luck with that requirement..
>>>>
>>>> Cheers,
>>>> Bernardo
>>>
More information about the dovecot
mailing list