[qmailtoaster] Re: Authentication methods

Fri, 17 Feb 2012 11:37:06 -0800 

On 02/16/2012 09:48 PM, Pak Ogah wrote:

On 02/16/12 0:26, Eric Shubert wrote:

As part of the upgrade to vpopmail, we're considering removing clear
text passwords from the database. This will improve security, but at
the same time remove some (somewhat insecure) capabilitiy.

The biggest impact I think this will have is that admins will no
longer be able to look up someone's password. In the event that a user
loses their password, the administrator would reset the password to
something temporary, and the user would subsequently change it to
whatever they like. This is the practice followed in many (if not
most) other environments.


I use clear text password for:
- if my manager asked by his superior/co-manager to peek his
sub-ordinate email-account
This can be done more securely by using taps (http://wiki.qmailtoaster.com/index.php/Taps).
If taps has not been activated yet, the system admin could grep through a user's email. That would be up to the system admin's discretion.
Companies should have a policy regarding email that does not include the compromising of passwords. 


- jabberd authentication by creating a view on vpopmail's table



Which jabberd implementation/version are you using?
If you use ejabberd, you might try this:
http://www.ejabberd.im/check_vpopmail
Or, this appears to use hashed passwords:
http://www.ejabberd.im/check_mysql_python
Or, you might have ejabberd validate via dovecot:
http://www.ejabberd.im/files/contributions/check_dovecot.pl.txt
I think that there is most likely a way to use vpopmail's database for your jabberd authentication without needing clear text passwords. We may be of more help if when you tell us your specific jabberd setup. 

--
-Eric 'shubes'


---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to