@Tulp - the attacker has to 0wn your server first. In which case they will have found a password to SSH in - regardless of dovecot being there or not. You will be dealing with a bigger problem than dovecot.
On Tue, Oct 11, 2022 at 5:39 PM John Tulp <johnt...@tulpholdings.com> wrote: > I find this conversation "interesting". > > Serveria, i think some can't see the attack scenario where the > attacker's goal is simply to get email passwords, and nothing else. it > would make sense for their strategy to do nothing else "bad" on the > server to attract attention to their intrusion. In that case, all they > would do is send back the treasure trove of passwords to their home > server(s), and sit there, remaining possibly for years, hiding, > exploiting the fact that dovecot, with no code modification, will allow > them to grab email passwords. If a dovecot server has thousands of > email accounts, that represents thousands of other devices they could > target, which is worth much more to the attacker than a single dovecot > server. > > Oh well, food for thought. > > > On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote: > > Yes, I realize that. But I can't think of a reason this password is > > necessary in the logs. It's kind of a backdoor and has to be removed > > from code. Why make intruder's life easier? > > > > On 2022-10-11 13:39, Arjen de Korte wrote: > > > Citeren Serveria Support <supp...@serveria.com>: > > > > > >> Yes, there is a tiny problem letting the attacker change this value > > >> back to yes and instantly get access to users' passwords in plain > > >> text. Apart from that - no problems at all. :) > > > > > > If an attacker is able to modify your Dovecot configuration, you have > > > bigger problems than leaking your users' password. Much bigger... > > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
