Serveria Support
2022-Oct-10 18:05 UTC
Dovecot mail-crypt webmail can't read encrypted messages
I checked the source code on Github and discussed this with a C developer. There seem to be too many files... perhaps somebody can guide me where should I look? Aki? On 2022-10-10 11:03, Serveria Support wrote:> Hi, thanks, this sounds like a great idea! Will try this and let you > guys know... > > On 2022-10-10 10:52, George Asenov wrote: >> Dovecot is opensource so you can download source edit the log format >> removing the passwords and compile it. >> >> On 09-Oct-22 8:47 PM, Serveria Support wrote: >>> Like I've already mentioned in my reply to Aki, I generally agree, >>> but many of these methods require much time and expertise some bad >>> guys don't have. You can also bruteforce the passwords but it can >>> take years. With passwords showing in logs all they need to do is >>> make a few clicks and enable auth logging. In most cases the attacker >>> is really short on time and needs to act fast, before he is detected >>> and locked out of the system. >>> >>> On 2022-10-09 19:10, Bernardo Reino wrote: >>>> On Sun, 9 Oct 2022, Serveria Support wrote: >>>> >>>>> So this means passwords cannot be masked/hidden in the logs? You >>>>> realize that it actually defeats the whole idea of encrypted >>>>> storage? It's useless. I can think of lots of scenarios: malicious >>>>> system administrator reading users mails and blackmailing them or >>>>> selling their business secrets to competitors, corrupt law >>>>> enforcement in some countries getting rid of political or business >>>>> opponents by disclosing the contents of their mails and I can go on >>>>> and on and on... There is no such thing as semi-privacy. Privacy is >>>>> either there or it's not. >>>> >>>> If your attack scenario includes somebody owning your server, >>>> nothing >>>> prevents them from compiling/installing a custom version of dovecot >>>> (or any other tool you may be using, like PAM, etc.) which dumps the >>>> passwords in clear text to a suitable file, pipe, or socket. >>>> >>>> So good luck with that requirement.. >>>> >>>> Cheers, >>>> Bernardo >>>
Benny Pedersen
2022-Oct-10 19:33 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support skrev den 2022-10-10 20:05:> I checked the source code on Github and discussed this with a C > developer. There seem to be too many files... perhaps somebody can > guide me where should I look? Aki?you ask for help ?, and i have sayed "doveconf -P | grep auth" how can i help more when you are not provide it ?, sorry then
Bernardo Reino
2022-Oct-11 14:07 UTC
Dovecot mail-crypt webmail can't read encrypted messages
On Mon, 10 Oct 2022, Serveria Support wrote:> I checked the source code on Github and discussed this with a C developer. > There seem to be too many files... perhaps somebody can guide me where should > I look? Aki?You should search for "given password" in the source. Hint: src/auth/passdb-pam.c, around lines 175-178. src/auth/auth-request.c, around lines 2311-2312. This is with the latest source (2.3.19.1). Cheers. PS: But as I noted, nothing prevents $HACKER from bringing their own dovecot (BYOD :) with all debugging options enabled, etc. As others have noted, if the intruder owns your server, you have lost. Period.