Dovecot mail-crypt webmail can't read encrypted messages
John Stoffel
john at stoffel.org
Wed Oct 12 00:55:53 UTC 2022
>>>>> "Serveria" == Serveria Support <support at serveria.com> writes:
> Yes, there is a tiny problem letting the attacker change this value back
> to yes and instantly get access to users' passwords in plain text. Apart
> from that - no problems at all. :)
Honestly, if the attacker has penetrated you to such an extent, then
you're toast anyway, because they can just attach to the dovecot
process with 'gdb' and dump the data directly as well.
Encryption is not a magic solution here, and there's no real way to
secure the system so well that once an attacker can modify files and
restart processes they are blocked. Because they honestly looks like
an Admin doing work on the system.
> On 2022-10-11 12:15, Benny Pedersen wrote:
>> Serveria Support skrev den 2022-10-11 10:37:
>>> Thanks, but I suspect you've missed a part of this discussion
>>
>> if you set all to no, is there any problem to solve ?
>>
>> i am only human, not perfect
>>
>>>
>>> On 2022-10-11 01:25, Benny Pedersen wrote:
>>>> Serveria Support skrev den 2022-10-10 23:18:
>>>>> Hi Benny,
>>>>>
>>>>> Sorry I must have missed your email. Here's the output of doveconf
>>>>> -P
>>>>> | grep auth:
>>>>>
>>>>> doveconf: Warning: NOTE: You can get a new clean config file with:
>>>>> doveconf -Pn > dovecot-new.conf
>>>>> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25:
>>>>> 'imaps' protocol is no longer necessary, remove it
>>>>
>>>> remove imaps in protocol as it says
>>>>
>>>>> auth_debug = yes
>>>>> auth_debug_passwords = yes
>>>>> auth_verbose = yes
>>>>> auth_verbose_passwords = yes
>>>>
>>>> change yes to no
>>>>
>>>> problem solved imho :)
More information about the dovecot
mailing list