Serveria Support
2022-Oct-11 12:11 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Yes, I realize that. But I can't think of a reason this password is necessary in the logs. It's kind of a backdoor and has to be removed from code. Why make intruder's life easier? On 2022-10-11 13:39, Arjen de Korte wrote:> Citeren Serveria Support <support at serveria.com>: > >> Yes, there is a tiny problem letting the attacker change this value >> back to yes and instantly get access to users' passwords in plain >> text. Apart from that - no problems at all. :) > > If an attacker is able to modify your Dovecot configuration, you have > bigger problems than leaking your users' password. Much bigger...
Odhiambo Washington
2022-Oct-11 13:49 UTC
Dovecot mail-crypt webmail can't read encrypted messages
If you don't store cleartext passwords in your backend, how will an intruder get them?? On Tue, Oct 11, 2022 at 3:45 PM Serveria Support <support at serveria.com> wrote:> Yes, I realize that. But I can't think of a reason this password is > necessary in the logs. It's kind of a backdoor and has to be removed > from code. Why make intruder's life easier? > > On 2022-10-11 13:39, Arjen de Korte wrote: > > Citeren Serveria Support <support at serveria.com>: > > > >> Yes, there is a tiny problem letting the attacker change this value > >> back to yes and instantly get access to users' passwords in plain > >> text. Apart from that - no problems at all. :) > > > > If an attacker is able to modify your Dovecot configuration, you have > > bigger problems than leaking your users' password. Much bigger... >-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ?\_(?)_/? :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221011/9a8a85fa/attachment-0001.htm>
I find this conversation "interesting". Serveria, i think some can't see the attack scenario where the attacker's goal is simply to get email passwords, and nothing else. it would make sense for their strategy to do nothing else "bad" on the server to attract attention to their intrusion. In that case, all they would do is send back the treasure trove of passwords to their home server(s), and sit there, remaining possibly for years, hiding, exploiting the fact that dovecot, with no code modification, will allow them to grab email passwords. If a dovecot server has thousands of email accounts, that represents thousands of other devices they could target, which is worth much more to the attacker than a single dovecot server. Oh well, food for thought. On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote:> Yes, I realize that. But I can't think of a reason this password is > necessary in the logs. It's kind of a backdoor and has to be removed > from code. Why make intruder's life easier? > > On 2022-10-11 13:39, Arjen de Korte wrote: > > Citeren Serveria Support <support at serveria.com>: > > > >> Yes, there is a tiny problem letting the attacker change this value > >> back to yes and instantly get access to users' passwords in plain > >> text. Apart from that - no problems at all. :) > > > > If an attacker is able to modify your Dovecot configuration, you have > > bigger problems than leaking your users' password. Much bigger...