Dovecot mail-crypt webmail can't read encrypted messages

Serveria Support support at serveria.com
Mon Oct 10 18:05:25 UTC 2022 

I checked the source code on Github and discussed this with a C 
developer. There seem to be too many files... perhaps somebody can guide 
me where should I look? Aki?

On 2022-10-10 11:03, Serveria Support wrote:
> Hi, thanks, this sounds like a great idea! Will try this and let you
> guys know...
> 
> On 2022-10-10 10:52, George Asenov wrote:
>> Dovecot is opensource so you can download source edit the log format
>> removing the passwords and compile it.
>> 
>> On 09-Oct-22 8:47 PM, Serveria Support wrote:
>>> Like I've already mentioned in my reply to Aki, I generally agree, 
>>> but many of these methods require much time and expertise some bad 
>>> guys don't have. You can also bruteforce the passwords but it can 
>>> take years. With passwords showing in logs all they need to do is 
>>> make a few clicks and enable auth logging. In most cases the attacker 
>>> is really short on time and needs to act fast, before he is detected 
>>> and locked out of the system.
>>> 
>>> On 2022-10-09 19:10, Bernardo Reino wrote:
>>>> On Sun, 9 Oct 2022, Serveria Support wrote:
>>>> 
>>>>> So this means passwords cannot be masked/hidden in the logs? You 
>>>>> realize that it actually defeats the whole idea of encrypted 
>>>>> storage? It's useless. I can think of lots of scenarios: malicious 
>>>>> system administrator reading users mails and blackmailing them or 
>>>>> selling their business secrets to competitors, corrupt law 
>>>>> enforcement in some countries getting rid of political or business 
>>>>> opponents by disclosing the contents of their mails and I can go on 
>>>>> and on and on... There is no such thing as semi-privacy. Privacy is 
>>>>> either there or it's not.
>>>> 
>>>> If your attack scenario includes somebody owning your server, 
>>>> nothing
>>>> prevents them from compiling/installing a custom version of dovecot
>>>> (or any other tool you may be using, like PAM, etc.) which dumps the
>>>> passwords in clear text to a suitable file, pipe, or socket.
>>>> 
>>>> So good luck with that requirement..
>>>> 
>>>> Cheers,
>>>> Bernardo
>>>

More information about the dovecot mailing list