Solved

UW-IMAPS - is my password safe?

Posted on 2004-09-13
5
420 Views
Last Modified: 2010-04-22
I currently have UW IMAPS installed on my RedHat9 based system and would like to know whether my username and password are being sent in clear text before encryption is started.  I've searched with google, checked out the UW FAQs and can't seem to find a definitive answer.
I can't say I know the exact process or options available during an IMAPS session and need help.  My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication.  I don't really mind, as long as my password is encrypted.

Is it?!

Thanks for anyone who can help.

Stuart
0
Comment
Question by:csalinger
  • 3
  • 2
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 12043070
If you've configured your mail client to use TLS and that is working your username & password is being transmitted within the encrypted session and is thus safe.

Secure passwords (CRAM-MD5, DIGEST-MD5) don't work with the UWash IMAP implementation when using the Linux passwd/shadow file for user info. To be able to offer secure passwords the IMAP server's auth mechanism needs additional password info that can't be had from the encrypted password in the shadow file.
0
 

Author Comment

by:csalinger
ID: 12046292
I see.  The mail client has only the one option for secure connection - ssl (listed in brackets) which i assume is being used as tls (i don't know much about them, but I know tls is based on ssl) as the smtp options allows selection between tls and ssl, so the client supports it for smtp.  I hope I explained that properly and didn't confuse you.

I suppose there is no reason for me to want to use cram-md5 or digest-md5 for passwords if they are already encrypted?

If I did, would I have to rebuild UW-IMAP or can I edit a config file somewhere (the information on UW website is a little sparse on specifics as it is a 'plug and play' server)?

Thanks very much for your response - it has answered my initial question

:)

Stuart
0
 

Author Comment

by:csalinger
ID: 12046896
I've managed to get the cram-md5 working now - i had my file named incorrectly, such an amateur mistake! cram-md5 instead of cram-md5.pwd

Works fine with secure auth and connection now - thanks!

I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email

Stuart
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12047217
Within an encrypted IMAP, POP, or SMTP connection there's little advantage to using CRAM-MD5 or DIGEST-MD5 since the entire transaction is encrypted. The advantage to those methods is when you aren't using an SSL/TLS connection. There the username and password is exposed when using PLAIN or LOGIN as the method.
0
 

Author Comment

by:csalinger
ID: 12047279
Thank you very much for your time and explanation

Stuart
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now