dovecot - Oct 2022 - Dovecot mail-crypt webmail can't read encrypted messages

Yes, there is a tiny problem letting the attacker change this value back 
to yes and instantly get access to users' passwords in plain text. Apart 
from that - no problems at all. :)

On 2022-10-11 12:15, Benny Pedersen wrote:
> Serveria Support skrev den 2022-10-11 10:37:
>> Thanks, but I suspect you've missed a part of this discussion
> 
> if you set all to no, is there any problem to solve ?
> 
> i am only human, not perfect
> 
>> 
>> On 2022-10-11 01:25, Benny Pedersen wrote:
>>> Serveria Support skrev den 2022-10-10 23:18:
>>>> Hi Benny,
>>>> 
>>>> Sorry I must have missed your email. Here's the output of
doveconf
>>>> -P
>>>> | grep auth:
>>>> 
>>>> doveconf: Warning: NOTE: You can get a new clean config file
with:
>>>> doveconf -Pn > dovecot-new.conf
>>>> doveconf: Warning: Obsolete setting in
/etc/dovecot/dovecot.conf:25:
>>>> 'imaps' protocol is no longer necessary, remove it
>>> 
>>> remove imaps in protocol as it says
>>> 
>>>> auth_debug = yes
>>>> auth_debug_passwords = yes
>>>> auth_verbose = yes
>>>> auth_verbose_passwords = yes
>>> 
>>> change yes to no
>>> 
>>> problem solved imho :)

Serveria Support skrev den 2022-10-11 10:44:
> Yes, there is a tiny problem letting the attacker change this value
> back to yes and instantly get access to users' passwords in plain
> text. Apart from that - no problems at all. :)
where is this problem ?, are the attacher one with full root access or 
not ?

if thats the case i will just suggest make your own problem

Citeren Serveria Support <support at serveria.com>:
> Yes, there is a tiny problem letting the attacker change this value  
> back to yes and instantly get access to users' passwords in plain  
> text. Apart from that - no problems at all. :)
If an attacker is able to modify your Dovecot configuration, you have  
bigger problems than leaking your users' password. Much bigger...

>>>>> "Serveria" == Serveria Support <support at
serveria.com> writes:
> Yes, there is a tiny problem letting the attacker change this value back 
> to yes and instantly get access to users' passwords in plain text.
Apart
> from that - no problems at all. :)
Honestly, if the attacker has penetrated you to such an extent, then
you're toast anyway, because they can just attach to the dovecot
process with 'gdb' and dump the data directly as well. 

Encryption is not a magic solution here, and there's no real way to
secure the system so well that once an attacker can modify files and
restart processes they are blocked.  Because they honestly looks like
an Admin doing work on the system.  


> On 2022-10-11 12:15, Benny Pedersen wrote:
>> Serveria Support skrev den 2022-10-11 10:37:
>>> Thanks, but I suspect you've missed a part of this discussion
>> 
>> if you set all to no, is there any problem to solve ?
>> 
>> i am only human, not perfect
>> 
>>> 
>>> On 2022-10-11 01:25, Benny Pedersen wrote:
>>>> Serveria Support skrev den 2022-10-10 23:18:
>>>>> Hi Benny,
>>>>> 
>>>>> Sorry I must have missed your email. Here's the output
of doveconf
>>>>> -P
>>>>> | grep auth:
>>>>> 
>>>>> doveconf: Warning: NOTE: You can get a new clean config
file with:
>>>>> doveconf -Pn > dovecot-new.conf
>>>>> doveconf: Warning: Obsolete setting in
/etc/dovecot/dovecot.conf:25:
>>>>> 'imaps' protocol is no longer necessary, remove it
>>>> 
>>>> remove imaps in protocol as it says
>>>> 
>>>>> auth_debug = yes
>>>>> auth_debug_passwords = yes
>>>>> auth_verbose = yes
>>>>> auth_verbose_passwords = yes
>>>> 
>>>> change yes to no
>>>> 
>>>> problem solved imho :)