Thanks for the quick update. > > Besides, there is sadly no '--password' parameter available. This is > > useful for using msmtp from an external program such as mutt, while > > not saving the password in any clear file. So I added support for the > > '--password' parameter. Quite simple in fact, and seems to work > > pretty well. > > The problem with this option is that it shows up in process lists (via > the ps utility, in /proc, and via several system calls), so it would > be unsafe to use. I did not push this part of your patch.
Isn't it possible to see the result of the command passed to passwordeval anyway? The command result is retrieved from a pipe -- popen in get_password_eval(...) function -- so I guess it is possible to get the content of the pipe, which is the clear password... Perhaps I'm wrong here, tell me. > With --passwordeval, it should be possible to use secure password > storage (keyring or encrypted files or something else) and still give > the password on the command line. The problem here is that gpg will fail when called from mutt. I did not manage to find any convenient solution for using msmtp from mutt while keeping the password encrypted at the same time. The the only solution I've found at the moment is to patch msmtp to support the --password parameter. Of course it is not 100% safe, but like I said before, I don't know if --passwordeval is safer anyway. But I guess the only security flaw would be on a machine with SSH access. Tell me if you have some detailed explainations about the possible flaws, and if you have any smart solution for mutt. Thanks. Cheers Pierre ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ msmtp-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/msmtp-users
