-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/22/2010 05:06 AM, ckubu wrote:
> Hi,
> 
> Mailsetup: qmail + vpopmail 5.5.27 + dovecot

I assume you mean vpopmail 5.4.27.

> Over the years, we didn't store cleatext versions of passwords. Some time 
> ago, 
> we wanted to change that setup and since that time, we used vpopmail compiled 
> without option --disable-clear-passwd, but know with 
> option --enable-learn-passwords . step by step, we wanted to get user's 
> passwords (we discussed that issue here on the list about 2 years ago). The 
> reason was, we wanted to change our mailsetup (postfix+dovecot). But that did 
> not work, means, cleartext version of password wasn't stored.
> 
> All other was working fine and so i didn't change anything. This was a big 
> mistake, because since that time, all vpopmail mailboxes could be accessed 
> with an empty passwordstring, at least, if the clients were using cram or 
> digest authentication.
> 
> I know about the misconfigured vpopmail, but i think this behavor isn't as 
> expected. In the documentation of the option --disable-clear-passwd is 
> explaned, that this option causes vpopmail to store cleartext version of 
> passwords in _addition_ to their encrypted versions, and so i think, the 
> described behavior is at least a security leak.

This should be fixed in the latest stable in the 5.4 tree.  Try
upgrading to 5.4.32.
- -- 
/*
    Matt Brookings <m...@inter7.com>       GnuPG Key FAE0672C
    Software developer                     Systems technician
    Inter7 Internet Technologies, Inc.     (815)776-9465
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0SDzgACgkQIwet2/rgZywOkwCfQAZzYjcOe80K9EV7Ipbxdnwl
VTQAoIgK65QoAlFCURgEJSQ/WEfHgBER
=NaZs
-----END PGP SIGNATURE-----

Reply via email to