> Hi,
> Mailsetup: qmail + vpopmail 5.5.27 + dovecot
> Over the years, we didn't store cleatext versions of passwords. Some time
> ago,
> we wanted to change that setup and since that time, we used vpopmail
> compiled
> without option --disable-clear-passwd, but know with
> option --enable-learn-passwords . step by step, we wanted to get user's
> passwords (we discussed that issue here on the list about 2 years ago).
> The
> reason was, we wanted to change our mailsetup (postfix+dovecot). But that
> did
> not work, means, cleartext version of password wasn't stored.
> All other was working fine and so i didn't change anything. This was a big
> mistake, because since that time, all vpopmail mailboxes could be accessed
> with an empty passwordstring, at least, if the clients were using cram or
> digest authentication.
> I know about the misconfigured vpopmail, but i think this behavor isn't as
> expected. In the documentation of the option --disable-clear-passwd is
> explaned, that this option causes vpopmail to store cleartext version of
> passwords in _addition_ to their encrypted versions, and so i think, the
> described behavior is at least a security leak.
Your words are confusing, as either you have typos or logical opposites of
what you mean.  I think you're saying that you enabled the storage of
cleartext passwords after the fact, but forgot to turn on learing of
passwords, and as a result everyone had an empty cleartext password
stored, allowing access to the mailboxes with an empty password using cram
or digest authentication.

While this may look like a security "leak", I would argue that this is
simply the expected result of misconfiguring your system in a manner that
causes security holes.  The same can be said for just about any software
that uses logins - if you don't configure it correctly (and monitor it to
make sure it's still working properly), you're going to open yourself up
to unnecessary risks.

I've worked with someone who had to do the whole "we want to capture
plaintext passwords after the fact" thing, and they set up a very specific
plan in advance and followed it to the letter in order to minimize the
risk - specifically:

1) Recompile vpopmail w/ clear-text passwords and learning enabled.
2) Put it in place and test to make sure that passwords were being captured.
3) Keep it in place only as long as absolutely necessary - in this case, I
think they did it for a month, but it might have been less than that - and
monitor that passwords are being captured so it can be cut short if
everyone has one.
4) Recompile vpopmail WITHOUT learning enabled, put it in place, and force
everyone whose password was not learned to change their password - in this
case by changing it for them and having them call in when they can't
connect (since they hand't connected within the alloted time, it wasn't
likely a big deal).

It sounds like you did step 1, half of step 2, and didn't look at it again
until 2 years later.  You can't fault the software for working the way you
told it to and you assuming it was doing something different.  Perhaps the
documentation needs to be revised to spell out what not to do if you want
to keep your system secure, but I don't think that's the same as "the
software is insecure."

And as to storing both encrypted and plaintext versions of the password, I
can see that there's no NEED to keep the encrypted version if you have the
plaintext one, but then you'd have to have 2 totally separate password
checking routines for non-cram/digest authentication, depending on which
version of the password is stored, and that seems unnecessary to me. 
Besides, there's actually a little bit of extra security in the fact that
you're never comparing just a plain text password to a plain text password
- there's always some sort of encryption algorithm involved before the


Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
  - Layman's translation of the Laws of Thermodynamics


Reply via email to