Solved

UW-IMAPS - is my password safe?

Posted on 2004-09-13
5
425 Views
Last Modified: 2010-04-22
I currently have UW IMAPS installed on my RedHat9 based system and would like to know whether my username and password are being sent in clear text before encryption is started.  I've searched with google, checked out the UW FAQs and can't seem to find a definitive answer.
I can't say I know the exact process or options available during an IMAPS session and need help.  My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication.  I don't really mind, as long as my password is encrypted.

Is it?!

Thanks for anyone who can help.

Stuart
0
Comment
Question by:csalinger
  • 3
  • 2
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 12043070
If you've configured your mail client to use TLS and that is working your username & password is being transmitted within the encrypted session and is thus safe.

Secure passwords (CRAM-MD5, DIGEST-MD5) don't work with the UWash IMAP implementation when using the Linux passwd/shadow file for user info. To be able to offer secure passwords the IMAP server's auth mechanism needs additional password info that can't be had from the encrypted password in the shadow file.
0
 

Author Comment

by:csalinger
ID: 12046292
I see.  The mail client has only the one option for secure connection - ssl (listed in brackets) which i assume is being used as tls (i don't know much about them, but I know tls is based on ssl) as the smtp options allows selection between tls and ssl, so the client supports it for smtp.  I hope I explained that properly and didn't confuse you.

I suppose there is no reason for me to want to use cram-md5 or digest-md5 for passwords if they are already encrypted?

If I did, would I have to rebuild UW-IMAP or can I edit a config file somewhere (the information on UW website is a little sparse on specifics as it is a 'plug and play' server)?

Thanks very much for your response - it has answered my initial question

:)

Stuart
0
 

Author Comment

by:csalinger
ID: 12046896
I've managed to get the cram-md5 working now - i had my file named incorrectly, such an amateur mistake! cram-md5 instead of cram-md5.pwd

Works fine with secure auth and connection now - thanks!

I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email

Stuart
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12047217
Within an encrypted IMAP, POP, or SMTP connection there's little advantage to using CRAM-MD5 or DIGEST-MD5 since the entire transaction is encrypted. The advantage to those methods is when you aren't using an SSL/TLS connection. There the username and password is exposed when using PLAIN or LOGIN as the method.
0
 

Author Comment

by:csalinger
ID: 12047279
Thank you very much for your time and explanation

Stuart
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problem to line 1 49
Redhat Linux 6.6 and LDAP 18 116
Maximum Number of Users in a RedHat Security Group? 6 91
bad ownership or modes for chroot directory 6 109
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question