In <[EMAIL PROTECTED]>, on
08/26/99 at 06:00 PM,
Dustin Krysak <[EMAIL PROTECTED]> said:
>The passwords are not encrypted. Just store the DBase outside of your web
>root...and then they should be just as safe as any other files on your
>system. The only people who can view them, are those who are physically
>at the system.
I went ahead and encrypted the passwords to be safe; I modified the
ODBCUSER.DLL to do this. IMail never needs the actual password again, so
this method works. Although the database is supposed to be secure, I
trust its security less the more I work with NT. This way if someone
manages to steal the passwords, the best they can do is dictionary attacks
(which will certainly turn up a few).
This does create a restriction of adding new users only through the
IMail administrator or ADDUSER.EXE, unless your custom DB interface can
implement the same encryption.
>Be advised, as another user had pointed
>out... not all user info is stored in the external DBase...just the
>pertinent info to give mail access...the personal info (i.e. phone
>number, etc) are stored else where...
>where? no one seems to know.
There is a private LDAP database created in each domain virtual
directory.
--
-----------------------------------------------------------
Mike Nice <[EMAIL PROTECTED]>
-----------------------------------------------------------
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
