Dovecot mail-crypt webmail can't read encrypted messages
Odhiambo Washington
odhiambo at gmail.com
Tue Oct 11 14:58:05 UTC 2022
@Tulp - the attacker has to 0wn your server first. In which case they
will have found a password to SSH in - regardless of dovecot being there or
not.
You will be dealing with a bigger problem than dovecot.
On Tue, Oct 11, 2022 at 5:39 PM John Tulp <johntulp at tulpholdings.com> wrote:
> I find this conversation "interesting".
>
> Serveria, i think some can't see the attack scenario where the
> attacker's goal is simply to get email passwords, and nothing else. it
> would make sense for their strategy to do nothing else "bad" on the
> server to attract attention to their intrusion. In that case, all they
> would do is send back the treasure trove of passwords to their home
> server(s), and sit there, remaining possibly for years, hiding,
> exploiting the fact that dovecot, with no code modification, will allow
> them to grab email passwords. If a dovecot server has thousands of
> email accounts, that represents thousands of other devices they could
> target, which is worth much more to the attacker than a single dovecot
> server.
>
> Oh well, food for thought.
>
>
> On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote:
> > Yes, I realize that. But I can't think of a reason this password is
> > necessary in the logs. It's kind of a backdoor and has to be removed
> > from code. Why make intruder's life easier?
> >
> > On 2022-10-11 13:39, Arjen de Korte wrote:
> > > Citeren Serveria Support <support at serveria.com>:
> > >
> > >> Yes, there is a tiny problem letting the attacker change this value
> > >> back to yes and instantly get access to users' passwords in plain
> > >> text. Apart from that - no problems at all. :)
> > >
> > > If an attacker is able to modify your Dovecot configuration, you have
> > > bigger problems than leaking your users' password. Much bigger...
>
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20221011/a2609576/attachment-0001.htm>
More information about the dovecot
mailing list