LOL - knowing the plaintext password doesn't help you prevent the
issue... but it did let me know the level of stupidity of the user in
question! :)
A throttle on qmail-remote (based on user) would be awesome (think:
godaddy allows email users only 250 messages a day without a "reset"
being required).
I also posted a note in the devel list -- I think we should at least TRY
to plug the security hole wherein an authenticated user can send as anyone.
Dan
On 3/27/2014 8:22 PM, Eric Shubert wrote:
On 03/27/2014 04:59 PM, Dan McAllister wrote:
So, I'm looking in my SMTP logs (submission, actually) and was able to
find the offending user (dumbass had a password of "123" -- another
reason for KEEPING the plaintext passwords available, just limited
access!
I fail to see how storing passwords in plain text would've changed
this situation at all. BottomLine, you found the offending account and
changed the password. This is the scenario that happens regardless of
the strength or limited knowledge of a password.
Keep in mind, in the event that a vpopmail database with clear text
passwords is compromised, then *all* of the passwords are compromised.
That's a possibility I think most of us would like to prohibit if
possible.
Was fail2ban in place? That would likely have prohibited even that
simple password from being hacked. If fail2ban is in place, then I
would suspect that the password is not kept secure in some other
manner (post-it note on the terminal, for example).
Anywise, glad you found the culprit. I'm still planning on putting a
throttle on qmail-remote one of these days. I've got specs written for
the thing. Just need some time to write the code.
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
