Current time: 12-23-2024, 09:43 PM Hello There, Guest! (LoginRegister)


Post Reply 
Encrypted passwords for Mail and Mysql
Author Message
SniperSister Offline
Junior Member
*

Posts: 22
Joined: Feb 2007
Reputation: 0
Post: #1
Encrypted passwords for Mail and Mysql
Hey guys,

at first: Thank you for your great work! I'm currently testing Omega on my new server and I'm very happy with it. Currently stats aren't working, but i hope this will be fixed in the upcoming stable release.
Btw: If you need help - i would be happy if I can help you.

There's only one thing which shocked me a bit:
Why are the MySQL and Mail passwords stored as plaintext in the database? At least Courier should support md5-encrypted passwords and I don't understand why the MySQL-Passworts have to be saved as plaintext.

Maybe I'm under a misapprehension 'cause i don't have a complete overview about the code but I think it should be much more secure when the passwords aren't saved in plaintext.

Best regards
David
03-05-2007 04:12 AM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #2
RE: Encrypted passwords for Mail and Mysql
The passwords aren't encrypted that's right. But Postfix isn't working with encrypted passwords (as far as I know). MD5 is NO encryption (only a Hash function) and it's NOT secure. You can create a collision!

In later releases we will boost the level of security; however there is no lack, if the admin has selected a SECURE password for MySQL control!
03-05-2007 09:15 AM
Visit this user's website Find all posts by this user Quote this message in a reply
SniperSister Offline
Junior Member
*

Posts: 22
Joined: Feb 2007
Reputation: 0
Post: #3
RE: Encrypted passwords for Mail and Mysql
I just converted my plaintext password into an md5 hash and postfix is working quite well...so at least postfix should work without any problems.

The question "Why encrypting those passwords" is very easy to answer: Most of the people are using the same password for their Bank-Account, their Ebay-Account, their Mailaccount etc...
So when somebody gets access to the database, he can read out all customers passwords - and with a bit luck - he gets access to their bank or mail accounts.

The advantage of md5 is that you can't reconvert it into a plaintext password - it's more or less worthless for a hacker. You can use it to authenticate your customers by comparing the md5 hash of the entered password with the md5 hash stored in the database.
03-05-2007 04:19 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #4
RE: Encrypted passwords for Mail and Mysql
IMHO it would be a good thing, because even if collisions can be created (not a trivial work!) the attacker will never really know the password. In fact, tinkering MD5 collisions to access a users data would be something stupid if you can access vhcs's database and just create/modifiy accounts!
03-05-2007 05:12 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #5
RE: Encrypted passwords for Mail and Mysql
I'll see, what to do! Thanks for reply.
03-05-2007 06:40 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BioALIEN Offline
Public Relations Officer
*****
Dev Team

Posts: 620
Joined: Feb 2007
Reputation: 5
Post: #6
RE: Encrypted passwords for Mail and Mysql
+1 to the points raised in this topic. Never use plain passwords - im sure security and privacy issues come into question. RatS, I hope you can engineer a solution Smile
03-05-2007 09:44 PM
Find all posts by this user Quote this message in a reply
tcs Offline
Junior Member
*

Posts: 10
Joined: Feb 2007
Reputation: 0
Post: #7
RE: Encrypted passwords for Mail and Mysql
You have to use Cyrus-SASL iirc. What I had to do was to configure servers to use that socket, I'll check that later when I'm at home and post my configuration.

Cheers

tcs
03-05-2007 11:53 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Kermit Offline
Junior Member
*

Posts: 75
Joined: Jan 2007
Reputation: 0
Post: #8
RE: Encrypted passwords for Mail and Mysql
This is a not trivial topic in fact. Anycase let me raise a hand for Ephigenie and RatS. There is a lot of very strange issues in some old releases of Postfix/Cyrus-SASL and PAM (often parts of the virtual-mail system) that prevent admins to use ecnrypted or hashed passwords.

I had the same problem on SuSE < 10.0: I built a self-configured virtual accounting system for my mail customers and there has been NO WAY to let Postfix/SASL read the passwords stored in other than plain-text. Sad

Sad but true...

Anycase if MD5 works this could be a good boost to security and even privacy.
Thanks a lot!!!
03-06-2007 12:11 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #9
RE: Encrypted passwords for Mail and Mysql
yeah we're aware of that.

And let me assure you, that we will think about how to change it.
But for now we've to make the "basic" things work Wink

The mail system has to be completely rewritten - i know that courier can handle crypted passwords, well - just I've to take a look at postfix.
03-06-2007 01:43 AM
Visit this user's website Find all posts by this user Quote this message in a reply
SniperSister Offline
Junior Member
*

Posts: 22
Joined: Feb 2007
Reputation: 0
Post: #10
RE: Encrypted passwords for Mail and Mysql
ephigenie Wrote:And let me assure you, that we will think about how to change it.
But for now we've to make the "basic" things work Wink
No problem, i just wanted to put your attention to this lack of privacy and security. If you need any help with making the basic stuff working feel free to ask Wink

Best regards
David
03-06-2007 02:09 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 3 Guest(s)