Dovecot mail-crypt webmail can't read encrypted messages

Odhiambo Washington odhiambo at gmail.com
Tue Oct 11 13:49:28 UTC 2022


If you don't store cleartext passwords in your backend, how will an
intruder get them??


On Tue, Oct 11, 2022 at 3:45 PM Serveria Support <support at serveria.com>
wrote:

> Yes, I realize that. But I can't think of a reason this password is
> necessary in the logs. It's kind of a backdoor and has to be removed
> from code. Why make intruder's life easier?
>
> On 2022-10-11 13:39, Arjen de Korte wrote:
> > Citeren Serveria Support <support at serveria.com>:
> >
> >> Yes, there is a tiny problem letting the attacker change this value
> >> back to yes and instantly get access to users' passwords in plain
> >> text. Apart from that - no problems at all. :)
> >
> > If an attacker is able to modify your Dovecot configuration, you have
> > bigger problems than leaking your users' password. Much bigger...
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20221011/9a8a85fa/attachment-0001.htm>


More information about the dovecot mailing list