Dovecot mail-crypt webmail can't read encrypted messages

[Serveria Support]

Bingo! Great to see some like-minded person here John!

Yeah, it's such an obvious vulnerability, I'm kinda surprised most 
people here don't see an issue with that. If I were a Dovecot Pro OX 
customer, I'd be very concerned with this "feature".

Imagine hacking Protonmail's server, getting root access and seeing 
customers' password there in clear text? )))

On 2022-10-11 17:38, John Tulp wrote:

> I find this conversation "interesting".
> 
> Serveria, i think some can't see the attack scenario where the
> attacker's goal is simply to get email passwords, and nothing else.  it
> would make sense for their strategy to do nothing else "bad" on the
> server to attract attention to their intrusion.  In that case, all  
> they
> would do is send back the treasure trove of passwords to their home
> server(s), and sit there, remaining possibly for years, hiding,
> exploiting the fact that dovecot, with no code modification, will allow
> them to grab email passwords.  If a dovecot server has thousands of
> email accounts, that represents thousands of other devices they could
> target, which is worth much more to the attacker than a single dovecot
> server.
> 
> Oh well, food for thought.
> 
> 
> On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote:
>> Yes, I realize that. But I can't think of a reason this password is
>> necessary in the logs. It's kind of a backdoor and has to be removed
>> from code. Why make intruder's life easier?
>> 
>> On 2022-10-11 13:39, Arjen de Korte wrote:
>> > Citeren Serveria Support <support at serveria.com>:
>> >
>> >> Yes, there is a tiny problem letting the attacker change this value
>> >> back to yes and instantly get access to users' passwords in plain
>> >> text. Apart from that - no problems at all. :)
>> >
>> > If an attacker is able to modify your Dovecot configuration, you have
>> > bigger problems than leaking your users' password. Much bigger...