Hi, Mailsetup: qmail + vpopmail 5.5.27 + dovecot
Over the years, we didn't store cleatext versions of passwords. Some time ago, we wanted to change that setup and since that time, we used vpopmail compiled without option --disable-clear-passwd, but know with option --enable-learn-passwords . step by step, we wanted to get user's passwords (we discussed that issue here on the list about 2 years ago). The reason was, we wanted to change our mailsetup (postfix+dovecot). But that did not work, means, cleartext version of password wasn't stored. All other was working fine and so i didn't change anything. This was a big mistake, because since that time, all vpopmail mailboxes could be accessed with an empty passwordstring, at least, if the clients were using cram or digest authentication. I know about the misconfigured vpopmail, but i think this behavor isn't as expected. In the documentation of the option --disable-clear-passwd is explaned, that this option causes vpopmail to store cleartext version of passwords in _addition_ to their encrypted versions, and so i think, the described behavior is at least a security leak. regards Christoph !DSPAM:4d11dbb332714993054289!
