Damon Muller wrote:
>
> On Tue, Jan 16, 2001 at 06:08:56AM +0000, Tim Hassan wrote:
>
> > No matter how long you set the password to when adding a new user, only the
> > first 8 characters of the password are used. So for example, if I do:
> >
> > ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423
> >
> > and then I try to login to my email as user "test" and password "this-is-",
> > it would let me in.
>
> This is standard Unix crypt behaviour. Unless you are using MD5
> passwords on your system (or Blowfish, I believe, on OpenBSD), then
> your system accounts will show the same behaviour.
>
> Even an 8-character password, provided it is sufficiently complex, will
> probably prove unreasonably difficult to break.
>
> There is probably a way to force vpopmail to use MD5 if the system
> supports it. Anyone know what is it?
>
> Better still, do all your mail transfer over an encrypted SSH tunnel
> (the fetchmail docs show you how to do it with fetchmail, it's very
> simple). Unless you are using APOP (not well supported in vpopmail,
> IIRC), your password is going over the network in clear-text anyway.
Could you post a url to the fetchmail docs on ssh tunnel?
Or better yet post the startup line for tcpserver/vpopmail/ssh tunnel.
I can add it to the vpopmail FAQ file.
Ken Jones
