dovecot - Dec 2013 - Accessing plain text password from memory

Is there a way to retrieve the client's password in plain text from memory ?

I don't store the password in plain text in my postgreSQL but I need it
when the client is connected to make crypto computation.

If I write a plugin to do the job, how could I retrieve the plain text
password from master ?

Thank you for your help,

Regards,
Stan.

---------------------------------------------------------------
Stanislas SABATIER
s.sabatier at pobox.com
---------------------------------------------------------------

On 2013-12-13 15:37, Stanislas SABATIER wrote:
> Is there a way to retrieve the client's password in plain text from 
> memory ?
> 
> I don't store the password in plain text in my postgreSQL but I need 
> it
> when the client is connected to make crypto computation.
> 
> If I write a plugin to do the job, how could I retrieve the plain text
> password from master ?
> 
> Thank you for your help,
> 
> Regards,
> Stan.
> 
> ---------------------------------------------------------------
> Stanislas SABATIER
> s.sabatier at pobox.com
> ---------------------------------------------------------------
If you enable auth_debug you can also enable auth_debug_passwords and 
that will show the plaintext password in the logfile when the user 
connects. I can't say I would recommend it though.

/A

On 13.12.2013, at 16.37, Stanislas SABATIER <s.sabatier at pobox.com>
wrote:
> Is there a way to retrieve the client's password in plain text from
memory ?
> 
> I don't store the password in plain text in my postgreSQL but I need it
> when the client is connected to make crypto computation.
> 
> If I write a plugin to do the job, how could I retrieve the plain text
> password from master ?
Assuming you you're using passdb sql and userdb prefetch and you want to
access the password in imap/pop3/etc process, you can do:

password_query = '%w' as userdb_password, ...

Then the password will be available the same way as plugin { password } would be
available (mail_user_plugin_getenv()).

You could also write a passdb plugin you could access the password directly from
auth_request->mech_password.

Quoting Stanislas SABATIER <s.sabatier at pobox.com>:
> Is there a way to retrieve the client's password in plain text from
memory ?
>
> I don't store the password in plain text in my postgreSQL but I need it
> when the client is connected to make crypto computation.
Hi Stan,

I hope you're not trying to copy Lavabit.  Saying you don't have  
access to mailbox contents on your own equipment would be a flat out  
lie.

1. You have the password in memory.  Simply set the debug flags and  
you can retrieve the password, as Lavabit did, to decrypt the mailbox.  
  Their claim of 'our policy is not to run in debug mode, therefore we  
can't access your data' is not actually a form of security.
2. SMTP is in plain text.  After the existing mail is read, any  
incoming or outgoing mail is easily CC'd to a 'monitoring' mailbox  
based on SMTP Auth or RCPT TO.

If it's not mailbox encryption, sorry (you have no idea how much I  
detest that Lavabit guy for his lies), but if it is then it's nothing  
more than a programming exercise.

Rick

Hi rick,

I DO want to encrypt/decrypt mails on the fly without ?lying ? to my
customers.


It's better to have encrypted mail that are difficult to decrypt than plain
text files within plain text folders. (Yes, it would be possible to get the
user password on the fly, but my system is not design this way)

I agree that it's not panacea, but it's better than no encryption at
all.
Isn't it ?

As soon as a new email protocol will be available, I'll be the first to
switch to it !

Regards,
Stan.


---------------------------------------------------------------
Stanislas SABATIER
s.sabatier at pobox.com
---------------------------------------------------------------



2013/12/13 Stanislas SABATIER <s.sabatier at pobox.com>
> Is there a way to retrieve the client's password in plain text from
memory
> ?
>
> I don't store the password in plain text in my postgreSQL but I need it
> when the client is connected to make crypto computation.
>
> If I write a plugin to do the job, how could I retrieve the plain text
> password from master ?
>
> Thank you for your help,
>
> Regards,
> Stan.
>
> ---------------------------------------------------------------
> Stanislas SABATIER
> s.sabatier at pobox.com
> ---------------------------------------------------------------
>
>