GoetheG
commented
6 years ago Is this a security issue?
Open MrKeiKun opened 6 years ago
GoetheG
commented
6 years ago Is this a security issue?
mhantsch
commented
6 years ago In MailSo/Smtp/SmtpClient.php the supported (implemented) authentications are: PLAIN, CRAM-MD5, and XOAUTH2.
Not sure if you can get dovecot to support CRAM-MD5, but that would be an alternative to PLAIN according to the code.
MrKeiKun
commented
6 years ago @GoetheG For me, it will be a security issue if rainloop will be use for organization.
@mhantsch From: https://wiki2.dovecot.org/Authentication/Mechanisms
CRAM-MD5: Protects the password in transit against eavesdroppers. Somewhat good support in clients.
DIGEST-MD5: Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it.
SCRAM-SHA-1: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms. Intended as DIGEST-MD5 replacement.
APOP: This is a POP3-specific authentication. Similar to CRAM-MD5, but requires storing password in plaintext.
NTLM: Mechanism created by Microsoft and supported by their clients.
Optionally supported using Samba's winbind.
GSS-SPNEGO: A wrapper mechanism defined by RFC 4178. Can be accessed via either GSSAPI or Winbind.
GSSAPI: Kerberos v5 support.
RPA: Compuserve RPA authentication mechanism. Similar to DIGEST-MD5, but client support is rare.
ANONYMOUS: Support for logging in anonymously. This may be useful if you're intending to provide publicly accessible IMAP archive.
OTP and SKEY: One time password mechanisms.
EXTERNAL: EXTERNAL SASL mechanism.
OAUTBEARER: OAuth2 bearer authentication https://tools.ietf.org/html/rfc7628. See OAuth2 password database (v2.2.29+)
XOAUTH2: Google flavor OAUTHBEARER (v2.2.29+)Is there a plan to build a secure e-mail solution for Nextcloud? That would be great :).
ebbez
commented
5 years ago I'm not particularly a security expert, but you don't necessarily need to encrypt the password. It would be easier if you retrieve a SSL/TLS certificate with LetsEncrypt, and enabled that in Postfix & Dovecot. Make sure clients connect via 465 (smtps TLS only, no STARTTLS) and 993 (imaps TLS only, no STARTTLS).
If RainLoop runs on the same server as the mail (Postfix and Dovecot), then Dovecot accepts the plain login because the connection is considered secure.
bugz8unny69
commented
5 years ago No, it's over exuberance, one should worry about about the password than worry about transmit in clear text over SSL/TLS
Neustradamus
commented
2 years ago Dear all,
In first, I wish you a Happy New Year 2022!
Currently the BIG SECURITY PROBLEM of RainLoop is that there are not SCRAM-SHA- and SCRAM-SHA--PLUS supports.
It is time to add it!
Please use SnappyMail from @the-djmaze who has done a good job!
Linked to:
bugz8unny69
commented
2 years ago Hi @Neustradamus,
I am failing to understand what do you mean by BIG SECURITY PROBLEM? How will someone exploit a mail system, when the connection itself is encrypted? I don't see an added benefit this provides when you look at security trends, it's easier to enter the correct password than it is to have password encrypted during transmission.
Neustradamus
commented
2 years ago @lhorace: Thanks for your reply!
To have a better security, please read, for example, here about SCRAM: https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/how-to-securely-authenticate-with-scram-in-postgres-13/ba-p/1548319.
Neustradamus
commented
2 years ago @RainLoop dev team: Maybe you must a test account on a mail server?
RainLoop version, browser, OS: Server Side: Rainloop - git-master Postfix -2.10.1-6 Dovecot - 2.2.10 Client Side: Firefox Quantum 59.0.1 Windows 10 Expected behavior and actual behavior: When my dovecot settings have this
rainloop is unable to login but when I do this
Rainloops works fine as usual. Is it possible for a feature implementation of non-plain login? Logs or screenshots: