-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/22/2010 05:06 AM, ckubu wrote:
> Hi,
>
> Mailsetup: qmail + vpopmail 5.5.27 + dovecot
I assume you mean vpopmail 5.4.27.
> Over the years, we didn't store cleatext versions of passwords. Some time
> ago,
> we wanted to change that setup and since that time, we used vpopmail compiled
> without option --disable-clear-passwd, but know with
> option --enable-learn-passwords . step by step, we wanted to get user's
> passwords (we discussed that issue here on the list about 2 years ago). The
> reason was, we wanted to change our mailsetup (postfix+dovecot). But that did
> not work, means, cleartext version of password wasn't stored.
>
> All other was working fine and so i didn't change anything. This was a big
> mistake, because since that time, all vpopmail mailboxes could be accessed
> with an empty passwordstring, at least, if the clients were using cram or
> digest authentication.
>
> I know about the misconfigured vpopmail, but i think this behavor isn't as
> expected. In the documentation of the option --disable-clear-passwd is
> explaned, that this option causes vpopmail to store cleartext version of
> passwords in _addition_ to their encrypted versions, and so i think, the
> described behavior is at least a security leak.
This should be fixed in the latest stable in the 5.4 tree. Try
upgrading to 5.4.32.
- --
/*
Matt Brookings <[email protected]> GnuPG Key FAE0672C
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0SDzgACgkQIwet2/rgZywOkwCfQAZzYjcOe80K9EV7Ipbxdnwl
VTQAoIgK65QoAlFCURgEJSQ/WEfHgBER
=NaZs
-----END PGP SIGNATURE-----
