On Tue, 11 Oct 2022, Serveria Support wrote:
I'm sorry but I wasn't able to find src/config/all-settings.c file.
all-settings.h is there but all-settings.c is missing. I checked on
Github (thought maybe some files failed to extract) and it's missing
there too.
When building from git, you
> "Serveria" == Serveria Support writes:
> Yes, there is a tiny problem letting the attacker change this value back
> to yes and instantly get access to users' passwords in plain text. Apart
> from that - no problems at all. :)
Honestly, if the attacker has penetrated you to such an
I have a Dovecot/Postfix/MariaDB on a Centos, just have a user ask me:
--
I recently upgraded my Thunderbird email client and have experienced
problems since.
It appears that when Tbird polls for new messages it gets held up
waiting for a response from the server
I'm using POP
I'm sorry but I wasn't able to find src/config/all-settings.c file.
all-settings.h is there but all-settings.c is missing. I checked on
Github (thought maybe some files failed to extract) and it's missing
there too.
On 2022-10-11 22:15, Bernardo Reino wrote:
Please please stop top-posting.
Please please stop top-posting. Makes a mess of everything!
On Tue, 11 Oct 2022, Serveria Support wrote:
Ok, this is something... let me check...
If you're you referring to these pieces of code:
[...]
I'm not a programmer, let alone a C guru, but these extracts look like
password failure
Ok, this is something... let me check...
If you're you referring to these pieces of code:
if (path != NULL) {
/* log this as error, since it probably is */
str = t_strdup_printf("%s (%s missing?)", str, path);
On 11.10.22 18:04, John Tulp wrote:
in mitigating such risk, why not go for the "low hanging fruit" by
simply not storing passwords on disk in clear text ? unless there is
some reason why clear text passwords actually have to be written to
disk.
Authentication schemes like CRAM-MD5 require
On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
ok according to
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
SAN is not a valid option along with CN
... I don't see that being said in the page you refer to?
Anyhow, "stop giving a CN, use SANs instead" is
If someone has root they can just read the email storage files, no
password needed.
We are discussing Dovecot with encrypted mail storage here.
If someone has root, and dovecot has no code showing passwords in
logs, the attacker can build THEIR OWN version of dovecot that
"key-logs" all
What i'm saying is...
if the attackers goal is only to get passwords, you will not be dealing
with a bigger problem. In that hypothetical there would not be a bigger
problem or any other problem.
the only problem is passwords leaking in that case.
The attacker goes out of their way to not
On Tue, Oct 11, 2022, 12:02 PM Tim Dickson,
wrote:
> you would want to backup your dovecot/postfix config files and mail
> certificates as well, and your database if you are using one for
> authentication, and user list, just in case.
>
>
> Almost forgot about that. Guess I should ask about
you would want to backup your dovecot/postfix config files and mail
certificates as well, and your database if you are using one for
authentication, and user list, just in case.
On 11/10/2022 16:26, justina colmena ~biz wrote:
Is that a divorce? Or else a little bit better spelling and respect
ok according to
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
SAN is not a valid option along with CN
CN is part of the subject ??
Upoin further testing thunderbird seems to be locking onto the primary
domain (*.scom.ca) of the server skipp any sni setup ??
again thoughts
Is that a divorce? Or else a little bit better spelling and respect for the
lady is called for? And I don't like criminals serving bogus law papers and
hacking into my mail any more than anyone else does.
On October 10, 2022 6:57:39 AM AKDT, Ian Evans wrote:
>I run a small email server for me
Yeah, it's such an obvious vulnerability, I'm kinda surprised most people here
don't see an issue with that.
What people are trying to explain is the scenario you describe requires an
attacker to have root privileges on the target server. If someone has root
access to a server then your
@Tulp - the attacker has to 0wn your server first. In which case they
will have found a password to SSH in - regardless of dovecot being there or
not.
You will be dealing with a bigger problem than dovecot.
On Tue, Oct 11, 2022 at 5:39 PM John Tulp wrote:
> I find this conversation
Bingo! Great to see some like-minded person here John!
Yeah, it's such an obvious vulnerability, I'm kinda surprised most
people here don't see an issue with that. If I were a Dovecot Pro OX
customer, I'd be very concerned with this "feature".
Imagine hacking Protonmail's server, getting
I find this conversation "interesting".
Serveria, i think some can't see the attack scenario where the
attacker's goal is simply to get email passwords, and nothing else. it
would make sense for their strategy to do nothing else "bad" on the
server to attract attention to their intrusion. In
Odhiambo Washington skrev den 2022-10-11 15:49:
If you don't store cleartext passwords in your backend, how will an
intruder get them??
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = yes
then read log files if thats with world access
all the above
On Mon, 10 Oct 2022, Serveria Support wrote:
I checked the source code on Github and discussed this with a C developer.
There seem to be too many files... perhaps somebody can guide me where should
I look? Aki?
You should search for "given password" in the source.
Hint:
If you don't store cleartext passwords in your backend, how will an
intruder get them??
On Tue, Oct 11, 2022 at 3:45 PM Serveria Support
wrote:
> Yes, I realize that. But I can't think of a reason this password is
> necessary in the logs. It's kind of a backdoor and has to be removed
> from
ok it appears that all this revolves around openssl
does anyone have explicit instructions on how to generate a proper ssl
key, csr etc file
with the proper SAN & CN etc
i tried
# openssl req -new -nodes -newkey rsa:2048 -config ./openssl.cnf
-reqexts req_ext -keyout
hi@zakaria.website skrev den 2022-10-11 13:42:
On 2022-09-13 13:10, Benny Pedersen wrote:
hi@zakaria.website skrev den 2022-09-13 14:03:
from:from:reply-to:date:date:message-id:message-id:to:to:cc:
mime-version:mime-version:content-type:content-type:
Yes, I realize that. But I can't think of a reason this password is
necessary in the logs. It's kind of a backdoor and has to be removed
from code. Why make intruder's life easier?
On 2022-10-11 13:39, Arjen de Korte wrote:
Citeren Serveria Support :
Yes, there is a tiny problem letting the
Good morning to all
i guess things have changed yet again
to keep this simple :
i buy a certificate (example) : mail.paulkudla.net
i generated the key / csr as per normal using
data = '/usr/local/bin/openssl req -new -key /tmp/temp.key -out
/tmp/temp.csr -subj
On 2022-09-13 13:10, Benny Pedersen wrote:
hi@zakaria.website skrev den 2022-09-13 14:03:
least to must pass Signature Verification. Have anyone managed to
configure EXIM to verify more than one DKIM Signature header?
postfix smtpd_milter_maps with a list of ips that is known maillists
ips
Citeren Serveria Support :
Yes, there is a tiny problem letting the attacker change this value
back to yes and instantly get access to users' passwords in plain
text. Apart from that - no problems at all. :)
If an attacker is able to modify your Dovecot configuration, you have
bigger
Serveria Support skrev den 2022-10-11 10:44:
Yes, there is a tiny problem letting the attacker change this value
back to yes and instantly get access to users' passwords in plain
text. Apart from that - no problems at all. :)
where is this problem ?, are the attacher one with full root access
Yes, there is a tiny problem letting the attacker change this value back
to yes and instantly get access to users' passwords in plain text. Apart
from that - no problems at all. :)
On 2022-10-11 12:15, Benny Pedersen wrote:
Serveria Support skrev den 2022-10-11 10:37:
Thanks, but I suspect
Serveria Support skrev den 2022-10-11 10:37:
Thanks, but I suspect you've missed a part of this discussion
if you set all to no, is there any problem to solve ?
i am only human, not perfect
On 2022-10-11 01:25, Benny Pedersen wrote:
Serveria Support skrev den 2022-10-10 23:18:
Hi Benny,
Thanks, but I suspect you've missed a part of this discussion
On 2022-10-11 01:25, Benny Pedersen wrote:
Serveria Support skrev den 2022-10-10 23:18:
Hi Benny,
Sorry I must have missed your email. Here's the output of doveconf -P
| grep auth:
doveconf: Warning: NOTE: You can get a new clean
On Tue, Oct 11, 2022 at 11:26 AM Cristiano Deana
wrote:
> Il 10/10/2022 16:57, Ian Evans ha scritto:
>
> > is shutting down postfix and running
> > tar czf mailstorage.tgz /path/to/mail okay?
>
> remember -p to preserve permissions.
>
I have never imagined that tar requires a -p to preserve
Il 10/10/2022 16:57, Ian Evans ha scritto:
is shutting down postfix and running
tar czf mailstorage.tgz /path/to/mail okay?
remember -p to preserve permissions.
--
###
# Cristiano Deana #
# #
# Senior Network Engineer #
# Digital Response Team #
# CittaStudi
Hi!
This seems to be a bug in imapc client, we'll look into this. Thank you for
reporting this issue. It's currently tracked as DOV-5579.
Aki
> On 07/10/2022 15:38 EEST Nikolaos Pyrgiotis wrote:
>
>
> Hello,
>
> I want to make a correction on my first post. We are using version 2.3.19.1
34 matches
Mail list logo
