Arjen de Korte
2022-Oct-11 10:39 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Citeren Serveria Support <support at serveria.com>:> Yes, there is a tiny problem letting the attacker change this value > back to yes and instantly get access to users' passwords in plain > text. Apart from that - no problems at all. :)If an attacker is able to modify your Dovecot configuration, you have bigger problems than leaking your users' password. Much bigger...
Serveria Support
2022-Oct-11 12:11 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Yes, I realize that. But I can't think of a reason this password is necessary in the logs. It's kind of a backdoor and has to be removed from code. Why make intruder's life easier? On 2022-10-11 13:39, Arjen de Korte wrote:> Citeren Serveria Support <support at serveria.com>: > >> Yes, there is a tiny problem letting the attacker change this value >> back to yes and instantly get access to users' passwords in plain >> text. Apart from that - no problems at all. :) > > If an attacker is able to modify your Dovecot configuration, you have > bigger problems than leaking your users' password. Much bigger...