Solved

UW-IMAPS - is my password safe?

Posted on 2004-09-13
5
428 Views
Last Modified: 2010-04-22
I currently have UW IMAPS installed on my RedHat9 based system and would like to know whether my username and password are being sent in clear text before encryption is started.  I've searched with google, checked out the UW FAQs and can't seem to find a definitive answer.
I can't say I know the exact process or options available during an IMAPS session and need help.  My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication.  I don't really mind, as long as my password is encrypted.

Is it?!

Thanks for anyone who can help.

Stuart
0
Comment
Question by:csalinger
  • 3
  • 2
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 12043070
If you've configured your mail client to use TLS and that is working your username & password is being transmitted within the encrypted session and is thus safe.

Secure passwords (CRAM-MD5, DIGEST-MD5) don't work with the UWash IMAP implementation when using the Linux passwd/shadow file for user info. To be able to offer secure passwords the IMAP server's auth mechanism needs additional password info that can't be had from the encrypted password in the shadow file.
0
 

Author Comment

by:csalinger
ID: 12046292
I see.  The mail client has only the one option for secure connection - ssl (listed in brackets) which i assume is being used as tls (i don't know much about them, but I know tls is based on ssl) as the smtp options allows selection between tls and ssl, so the client supports it for smtp.  I hope I explained that properly and didn't confuse you.

I suppose there is no reason for me to want to use cram-md5 or digest-md5 for passwords if they are already encrypted?

If I did, would I have to rebuild UW-IMAP or can I edit a config file somewhere (the information on UW website is a little sparse on specifics as it is a 'plug and play' server)?

Thanks very much for your response - it has answered my initial question

:)

Stuart
0
 

Author Comment

by:csalinger
ID: 12046896
I've managed to get the cram-md5 working now - i had my file named incorrectly, such an amateur mistake! cram-md5 instead of cram-md5.pwd

Works fine with secure auth and connection now - thanks!

I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email

Stuart
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12047217
Within an encrypted IMAP, POP, or SMTP connection there's little advantage to using CRAM-MD5 or DIGEST-MD5 since the entire transaction is encrypted. The advantage to those methods is when you aren't using an SSL/TLS connection. There the username and password is exposed when using PLAIN or LOGIN as the method.
0
 

Author Comment

by:csalinger
ID: 12047279
Thank you very much for your time and explanation

Stuart
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question