-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/22/2010 05:06 AM, ckubu wrote: > Hi, > > Mailsetup: qmail + vpopmail 5.5.27 + dovecot
I assume you mean vpopmail 5.4.27. > Over the years, we didn't store cleatext versions of passwords. Some time > ago, > we wanted to change that setup and since that time, we used vpopmail compiled > without option --disable-clear-passwd, but know with > option --enable-learn-passwords . step by step, we wanted to get user's > passwords (we discussed that issue here on the list about 2 years ago). The > reason was, we wanted to change our mailsetup (postfix+dovecot). But that did > not work, means, cleartext version of password wasn't stored. > > All other was working fine and so i didn't change anything. This was a big > mistake, because since that time, all vpopmail mailboxes could be accessed > with an empty passwordstring, at least, if the clients were using cram or > digest authentication. > > I know about the misconfigured vpopmail, but i think this behavor isn't as > expected. In the documentation of the option --disable-clear-passwd is > explaned, that this option causes vpopmail to store cleartext version of > passwords in _addition_ to their encrypted versions, and so i think, the > described behavior is at least a security leak. This should be fixed in the latest stable in the 5.4 tree. Try upgrading to 5.4.32. - -- /* Matt Brookings <m...@inter7.com> GnuPG Key FAE0672C Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SDzgACgkQIwet2/rgZywOkwCfQAZzYjcOe80K9EV7Ipbxdnwl VTQAoIgK65QoAlFCURgEJSQ/WEfHgBER =NaZs -----END PGP SIGNATURE-----