Hello, are you somewhere plans for change in password policy in xmail? I mean mainly two things:
1. Passwords in mailusers/ctrlaccounts are not encrypted (the algorithm = used is not encryption, only encoding with no security value). 2. Passwords in logs are in clear text. My idea is to store only MD5 hash of password (maybe with some server-defined salt) and in logs include only information if login was = or was not successful. I know that correctly administered server should not give access to = these data for anyone, but good security precaution is to count with worst. And I think that it would not be problem for implement. Although it = would require some changes in client components, if you would change store for ctrlaccounts. But in general, I don't see any problems for mailusers. -- Michal A. Valasek Altair Software Production *** New project: http://weblog.rider.cz *** __________________________________________________________ Censorship can't eliminate evil; it can only kill freedom. E-mail: [EMAIL PROTECTED] * ICQ: 6160893 * GSM: +420-603-828493 For list of all my web projects visit http://[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
