On Aug 21, 2007, at 12:45 PM, John Simpson wrote:
and before you do this: if your qmailadmin interface is available
on a non-SSL web site, that needs to be changed. otherwise, anybody
with a packet sniffer in the right place will be able to literally
WATCH your users log into their domains, and read their passwords
right off the wire.
this is dangerous, not only because it lets them go back in and
change mailboxes around, but because if you allow people to relay
using the AUTH command, this gives the attacker an email/password
combination which can be used to relay spam through your server.
John,
I've always wondered whether this actually happens, at least in the
US. I'm a little more concerned when traveling overseas, but do
hackers still get passwords this way? Maybe sniffing an unencrypted
Wifi network, but with most wired networks using switches, it'd be
very hard to get a packet logger on a segment that could see all
traffic.
-Tom
