Mailsetup: qmail + vpopmail 5.5.27 + dovecot

Over the years, we didn't store cleatext versions of passwords. Some time ago, 
we wanted to change that setup and since that time, we used vpopmail compiled 
without option --disable-clear-passwd, but know with 
option --enable-learn-passwords . step by step, we wanted to get user's 
passwords (we discussed that issue here on the list about 2 years ago). The 
reason was, we wanted to change our mailsetup (postfix+dovecot). But that did 
not work, means, cleartext version of password wasn't stored.

All other was working fine and so i didn't change anything. This was a big 
mistake, because since that time, all vpopmail mailboxes could be accessed 
with an empty passwordstring, at least, if the clients were using cram or 
digest authentication.

I know about the misconfigured vpopmail, but i think this behavor isn't as 
expected. In the documentation of the option --disable-clear-passwd is 
explaned, that this option causes vpopmail to store cleartext version of 
passwords in _addition_ to their encrypted versions, and so i think, the 
described behavior is at least a security leak.



Reply via email to