1 (edited by ewarrior11 2012-02-08 11:13:04)

Topic: A newbie question about password encryption

I have the server set up and seemingly running, and I am beginning testing it.  I am going to be using Mozilla Thunderbird as an IMAP client.  When setting it up, I specified encrypted password for authentication, but the iredmail server apparently doesn't support this.

However, it does seem to support STARTTLS when you connect, which should ensure an encrypted connection.  My question is, is the password broadcast as plain text before the connection is established, or after?  What I'm wondering is if my password gets plain text broadcast over the network.  If so, is there a way to avoid that?

Related question: since webmail is https, would the password not be visible without the key over the webmail connection?

Another related question: do all iredmail installations use the same TLS decryption key?  I admit I'm not too up on how the certificates work, but if all installations use the same key, that would seem to be a security vulnerability.  If I'm off here, feel free to correct me smile

Edit: Another probably dumb question.  Is IRedMail configured, by default, to NOT be an open relay?


- Ubuntu 10.4 LTS
- iRedMail 0.7.4, mysql

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: A newbie question about password encryption

ewarrior11 wrote:

However, it does seem to support STARTTLS when you connect, which should ensure an encrypted connection.  My question is, is the password broadcast as plain text before the connection is established, or after?  What I'm wondering is if my password gets plain text broadcast over the network.  If so, is there a way to avoid that?

Reference:
- http://en.wikipedia.org/wiki/STARTTLS
- http://tools.ietf.org/html/rfc3207

As you can see, STARTTLS command is executed after server connection, so you password will be sent AFTER TLS connection is established.

ewarrior11 wrote:

Related question: since webmail is https, would the password not be visible without the key over the webmail connection?

Sorry, what do you mean "without the key"?

ewarrior11 wrote:

Another related question: do all iredmail installations use the same TLS decryption key?

Each iRedMail server has its own TLS cert/key which was generated during iRedMail installation, so, you're different. smile

ewarrior11 wrote:

Edit: Another probably dumb question.  Is IRedMail configured, by default, to NOT be an open relay?

It's not open relay by default.

3

Re: A newbie question about password encryption

On the https / webmail question.....

Sorry if I wasn't clear.  When you connect to access your mail via webmail it is, naturally, by a secured connection (https protocol).  You enter your email password on the webmail interface.  My question is, would my email password be encrypted at that point since I'm already connected by a secure connection?  That is, my password would not be visible to any nefarious individual using a packet sniffer, unless he had my https private key?

4

Re: A newbie question about password encryption

1) The connection between you and WEB server is protected by secure connection (HTTPS)
2) The connection between Roundcube webmail and IMAP server is separated, it depends on your setting in Roundcube config file (/usr/share/apache2/roundcubemail/config/main.inc.php):

// the mail host chosen to perform the log-in
// leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %d = domain.tld
$rcmail_config['default_host'] = '';

Roundcube webmail and IMAP server (Dovecot) are running on same server by default, so normally, connection between Roundcube webmail and IMAP server should be fine without TLS/SSL connection. But they're running on separated servers, you have to enable TLS/SSL connection by updating above setting.

5

Re: A newbie question about password encryption

Hi zang,

we are faced more than 2-4 days our mail very slow minimum time taken receiving 5-10 minimute mail received. how  to quick speed mail permormance .

please guide.

Thanks
Manoj

6

Re: A newbie question about password encryption

I'm afraid that i maybe misunderstand your issue. (Maybe it's better to write short sentences instead of a long sentence if you're not good at English like me.)

I guess you mean greylisting, right? It's provided by Policyd.
* Refer to this site for more detail about greylisting: http://www.greylisting.org/
* Refer to this tutorial to enable or disable greylisting: http://iredmail.org/wiki/index.php?titl … reylisting

IMPORTANT NOTE: Please post your own questions/issues in a NEW forum topic, do NOT hijack other's topic.