email password in clear text

[ghislain]

hi,

From what i see in rc4 the email passwords are stored in clear. Is it not dangerous to store the email password in clear text in the database ?

I know that to provide 'i forgot my pass' feature you need this but is this tradeoff not a security risk ? Is there any technical reason for this ?

regards,
Ghislain.

[joximu]

Yes - it's a not very good thing.
The point is: the passwords are not read directly from the database, they are stored in other flatfile databases (eg userdb for courier) and it may be that this behaviour will change in the next version (either another mda or maybe direct connection to the database). I think that's why there are still clear text passwords in it.

The big but: if someone has access to have a look at theese passwords, then you also have other problems... maybe it would be good to use an encryption for the clear text passwords (same with the sql user passwords).

/J

[ghislain]

of course the best is to use salted sha1 (md5 or sha1 without salt is vulnerable to rainbow table attacks). Postfix and courier seems to be able to handle this via the query in the DB you make in the cf.

Of course having the setup in flat file is a big win as when mysql dies the mails continues to work

i do not know how it can be handled, of course files means better reliability to problems in mysql but means harder work for the control panel (sync between the files and the db ).

you have:

1/ postfix
2/ courier
3/ spamassassin/amavis (?)
4/ others (?)

all those should be able to work together with one user base. With all the vulnerability that appears, having password hashed in mysql makes it less likely that a cross scripting issue somewhere can lead to the passwords disclosure.

Perhaps the authentification could be done with pam localuser using a separate shadow file (and not the system one via the file parameter) with the rest of the data like quotas or spam settings in the db. Another big win with pam is that it can be altered to use pam_ldap or other without needing to touch the mail daemon configuration themselves.

arg, it seems rather complicated to do it right

regards,
ghislain.

[ispcomm]

I would cast my vote in favor of clear text passwords.

There's a very good reason to have clear text passwords on the server: This is because most challenge/response ways for autentication (cram-md5 etc) need to have the clear-text password to compute the hashes which are exchanged on the network (in clear).

Having an encrypted password to start with will limit the authentication mechanisms to plain old "plain-text" which means that the password is sent in clear on an (almost surely) unprotected channel (pop3/imap/smtp).

It's much better to have the password hashes on the network and clear passwords on the server than viceversa.

Also... if someone can peek in your databases and flat files on the server you're already in trouble beyound the simple clear passwords.

ispcomm.