Menu
▾
▴
Re: [Fetchmail-users] Fetchmail without passwords in plaintext file?
|
From: Peter P. <ro...@ri...> - 2018-12-12 16:53:49
|
On Wed, Dec 12, 2018 at 11:17:12AM -0500, Gene Heskett wrote:
> On Wednesday 12 December 2018 08:07:05 Bjoern Voigt wrote:
>
> > Matthias Andree wrote:
> > > Regarding plaintext password storage, you don't have to, but
> > > fetchmail had originally been written for end-user consumption and
> > > not high-grade datacenter use.
> >
> > Yes, you know the historical requirements for Fetchmail. But how you
> > think now about unencrypted passwords in Fetchmail?
> >
> > I think, that datacenters are much more secured than mobile devices
> > (e.g. laptops) of average Linux users. Also SOHO servers, NAS devices
> > are often not secured very good.
> >
> > Of course, long-term Linux users (I also started 1996) may still
> > think, that unencrypted passwords in a file with -rw-------
> > permissions are "safe enough". In fact this is somehow true for
> > multi-user computers in secure locations where normal users have no
> > root rights and where the root users are trustworthy.
> >
> > But do we still have to discuss about unencrypted passwords at the end
> > of 2018? Auditors could laugh at us.
> >
> They may do worse than that, but its the mail server admins at your ISP
> which will have to push for it to gain any real traction. Welcome to
> the facts of life. :)
>
> Besides, in transit, its still clear text to those that want to spoof it,
> all they have to do is copy it in passing so there will be no difference
> in the security level until the isp's server sends the encryption std
> the client is to use today, and rotates it frequently. Daily might be
> reasonable, hourly would tend to load up the server with 10000 accounts.
> Even that, to a determined hacker is only a minor problem and we all
> know it.
I think you're talking at cross purposes. I believe that Bjoern and
Matthias are discussing whether the password should be stored in
the ~/.fetchmailrc file in plain text, so that anybody with access to
the user's account would be able to look at the file and see it, or
whether fetchmail should ask another program to provide it with
the password only when it is needed.
Gene, you seem to be talking about whether the password, once fetchmail
has obtained it somehow, should be sent over the network in plaintext;
I believe that this is usually handled by instructing fetchmail to
negotiate a TLS/SSL connection with the mail server. If there are any
ISPs that do not provide this option to their users in 2018, that's...
troubling.
G'luck,
Peter
--
Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp...@st...
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
|
