[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SOLVED Plaintext passwords IMAP please!



Thank you so much Peter!

This worked.  I thought it was unlike SuSE to leave a way out of this.

I grepped for "I accept the risk" in the package documentation - nothing.
Grepped for "disable-plaintext", found it in imaprc, which describes the
c-client.cf file... however very little detail given and it said that the
default is already 0!  Some slightly improved documentation - e.g. a note in
the README.SuSE would be helpful here.

David Fetter - with regard to your comments, yes I agree that it's fine to
change defaults on packages.  I was concerned that as a responsible IT
professional that has carefully weighed up the security implications I
couldn't undo this without recompiling the package.  In our case we are a
small company and anyway clients are using Outlook Express connecting using
plain text/pop3 to our ISP anyway!




----- Original Message ----- 
From: "Peter Hinterseer" <iceman@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, January 14, 2004 4:07 PM
Subject: Re: [suse-security] Plaintext passwords IMAP please!


> -- snipped a lot of "I tried..." and "...didn't work" --
>
> > Really it's such a simple thing I want to do!
> >
> > Can anyone help?
>
> This is really not so hard to solve. SuSE's imap-2002 package released
with
> 8.2 and 9.0 has to
> be explicitly enabled to accept plaintext passwords. Some file in the
> documentation mentions that. It also warns of the risks. But if all
machines
> using this IMAP server are as you told us behind a firewall, this should
be
> OK.
>
> It is easily done by creating a file '/etc/c-client.cf' with the following
> content:
>
> --
> I accept the risk
>
> set disable-plaintext 0
> --
>
> WIthout the '--' of course... ;-)
>
> Note the part about the risk, they must be really paranoid about those
> plaintext passwords.
>
> Have fun,
>
> Peter.-)
>
>
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here