Hut, > -----Original Message----- > From: Hut Carspecken [mailto:[EMAIL PROTECTED] > Sent: 09 September 2003 22:46 > To: 'James Users List' > Subject: Securing JAMES database connections > > > > Good Evening, > > I have been looking at JAMES and it occurred to me that the > JAMES server > advertises itself in the email trace information in an email message. > i.e. <James 2.2.0a8> > > If a hacker sees this and knows anything about JAMES, they could take > advantage that the config.xml file is clear text and easily displays a > database username and password to someone who could hack into the > computer. > > My question is two part. First, is there anyway that I can remove the > JAMES name and version from the email trace information. > Second, how do > people protect vital files such as the config.xml file. If a > server is > behind a firewall and all ports are
NOT - I assume? > closed, there is a chance that a > hacker could break into a server. Is there a way to encrypt the > config.xml file? Don't assume the hacker is outside. It doesn't make good press, but far more damage is done maliciously or incompetently from the inside. Personally, I believe that encrypting the whole of the config. file is going too far. Having a mechanism for encrypting passwords would be good. This is especially pertinent to James tasks such as fetchpop and fetchmail which currently must declare any number of account credentials in plain text within the config. The parsing of an encrypted field is something that could be supported by Avalon, James' host framework. If it is added to org.apache.avalon.framework.configuration.Configuration then James could use it. -- Steve --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
