Am 27.06.2018 um 20:46 schrieb Mauro Mozzarelli:
> That is correct. I was looking to secure DB access by encrypting the
> credentials in the configuration file.
how do you imagine that to start with?
dbmail needs to authenticate against the database and so it needs the
credentials - frankly - even if you would be able to enter encrypted
passwords in "dbmail.conf" the dbmail processes would need the
password/key to decrypt it and so you just move it from A to B
> I know about setting permissions, but that is quite a lightweight and
> ineffective measure.
>
> Unix sockets implies a single tier hardware deployment. That as well
> does not suit the multi-tiered, firewall protected deployment to protect
> the Database tier. Clearly if I protect the DB tier, and then write the
> password in clear in the configuration file of the tier directly exposed
> to users, then the security of the DB is also reduced.
>
> This is a security issue.
it is not - dbmail starts as root, reads the config and drops
privileges, if someone can read "/etc/dbmail.conf" which can only be
accessed by root you have lost anyways
> On 27/06/18 07:23, Thomas Raschbacher wrote:
>> I think Mauro meant if it is possible to have the Database credentials
>> themselves encrypted in dbmail.conf. - To answer that: I don't think
>> that is possible, but if you configure permissions properly (0600 or
>> maybe 0660 then noone but the dbmail user and root should have access
>> to it) - or depending on which Database you use you could look into
>> using unix sockets instead of tcp/ip
>>
>> Regards
>>
>> On 2018-06-25 08:24, Andrea Brancatelli wrote:
>>
>>> Password encryption is mostly transparent on the application side,
>>> you just have to choose an encryption method when you create an user
>>> with dbmail-users - the password will be encrypted on the db and
>>> DBMail will handle it transparently
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://lists.nfg.nl/mailman/listinfo/dbmail
