Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Tue Oct 11 12:11:09 UTC 2022
Yes, I realize that. But I can't think of a reason this password is
necessary in the logs. It's kind of a backdoor and has to be removed
from code. Why make intruder's life easier?
On 2022-10-11 13:39, Arjen de Korte wrote:
> Citeren Serveria Support <support at serveria.com>:
>
>> Yes, there is a tiny problem letting the attacker change this value
>> back to yes and instantly get access to users' passwords in plain
>> text. Apart from that - no problems at all. :)
>
> If an attacker is able to modify your Dovecot configuration, you have
> bigger problems than leaking your users' password. Much bigger...
More information about the dovecot
mailing list