It isn't my intention to offend either of you, as Xmail and Xmail-WAI are great programs. My focus is more on security, and I do in fact have a firewall with VPN and am somewhat knowledgable about the various encryptions/etc. No matter how secure a system is, or I think it is, I just always have a concern with passwords stored in any file plain-text. It is difficult to feel 100% confident that nobody will ever get access to that file, and then if the people with those passwords reused them anywhere, it could open many other doors.
I was previously using QPopper with sasl and apop configured in Linux. Now, I was quite happy to see your Win2K implementations, and this is why I switched over. QPopper did have an option to force users to use APOP or other methods, so I was inquiring about this. Perhaps in a future release it might be an option to consider. Now I understand your responses and there are reasons for the plain-text at this time. I would encourage you and others though to use hashes as you have in Xmail if possible, but always try and avoid leaving passwords in files, no matter how secure the file system appears. You just never know what Microsoft/other vulnerability will show up next. Thanks for all your work thus far, ... Jason Badry At 04:25 PM 3/14/2002 -0800, you wrote: >On Fri, 15 Mar 2002, Michal Altair Valasek wrote: > > > | very concerned about having my Xmail and Xmail-WAI admin passwords in > > | plain-text in the config.xml file. > > > > These passwords must be in script usable form, which means plain text. > > Every other solution is too much complicated. If you would follow my > > directions, access to config.xml by intruder needs so high level of > > control over your server, so the Xmail compromision would be the > > smallest of your problems. > > > > | Xmail-WAI also displays the user's > > | password in plain-text when they are logged in. This seems > > | very in-secure to me. > > > > HTTP communication itself is insecure, so everything above is > > irrelevant. I recommend to use SSL (HTTPS) for all mission critical web > > apps. > >If you're picky about security you can use stunnel to build a virtual >SSL circuit > > > > >- Davide > > >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
