> I can't believe all you guys are interested in the algorithm to > decrypt IMail passwords. You SHOULD be yelling and screaming at > Ipswitch to use non-reversible encryption on their passwords. There > are some operational and conversion limitations to not being able to > decrypt a password, but it's very irresponsible to store passwords > in a decodable format on ANY computer system.
Look, anyone who owns your mail server owns your passwords, unless you are forcing SSL on SMTP, POP3, and IWEBMSG. It's trivial to sniff them using built-in NetMon. And, of course, anyone who owns your mail server owns your raw mailbox files. Once you are requiring encryption on incoming connections, then it makes more sense to worry about additional protection in-database. Simply lock down the Registry using ACLs and run the IMail services under an account with special access. Or you can use one of the other IMail database options (ODBC or NT), giving you a wide range of encryption levels, both on-the-wire and in-database. (In all these cases, it's still possible for an owner to use code injection to hijack the passwords as they are passed between processes, but that may indeed be beyond the capabilities of an ordinary hacker without otherwise alerting you to their compromise by futzing with mail flow.) It's clear after many years that the built-in Registry-based database option is not designed for security, but for ease-of-use; the encryption (encoding, really) has never been claimed to be secure. The number of admins who make day-to-day use of the passwords' retrievability has established the usefulness of the feature, so it doesn't surprise me that more people, rather than less, ask about it. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
