Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

UW-IMAPS - is my password safe?

Posted on 2004-09-13
5
Medium Priority
?
446 Views
Last Modified: 2010-04-22
I currently have UW IMAPS installed on my RedHat9 based system and would like to know whether my username and password are being sent in clear text before encryption is started.  I've searched with google, checked out the UW FAQs and can't seem to find a definitive answer.
I can't say I know the exact process or options available during an IMAPS session and need help.  My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication.  I don't really mind, as long as my password is encrypted.

Is it?!

Thanks for anyone who can help.

Stuart
0
Comment
Question by:csalinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
ID: 12043070
If you've configured your mail client to use TLS and that is working your username & password is being transmitted within the encrypted session and is thus safe.

Secure passwords (CRAM-MD5, DIGEST-MD5) don't work with the UWash IMAP implementation when using the Linux passwd/shadow file for user info. To be able to offer secure passwords the IMAP server's auth mechanism needs additional password info that can't be had from the encrypted password in the shadow file.
0
 

Author Comment

by:csalinger
ID: 12046292
I see.  The mail client has only the one option for secure connection - ssl (listed in brackets) which i assume is being used as tls (i don't know much about them, but I know tls is based on ssl) as the smtp options allows selection between tls and ssl, so the client supports it for smtp.  I hope I explained that properly and didn't confuse you.

I suppose there is no reason for me to want to use cram-md5 or digest-md5 for passwords if they are already encrypted?

If I did, would I have to rebuild UW-IMAP or can I edit a config file somewhere (the information on UW website is a little sparse on specifics as it is a 'plug and play' server)?

Thanks very much for your response - it has answered my initial question

:)

Stuart
0
 

Author Comment

by:csalinger
ID: 12046896
I've managed to get the cram-md5 working now - i had my file named incorrectly, such an amateur mistake! cram-md5 instead of cram-md5.pwd

Works fine with secure auth and connection now - thanks!

I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email

Stuart
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12047217
Within an encrypted IMAP, POP, or SMTP connection there's little advantage to using CRAM-MD5 or DIGEST-MD5 since the entire transaction is encrypted. The advantage to those methods is when you aren't using an SSL/TLS connection. There the username and password is exposed when using PLAIN or LOGIN as the method.
0
 

Author Comment

by:csalinger
ID: 12047279
Thank you very much for your time and explanation

Stuart
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question