Hello Everybody, Please take some time to review and test drive Mika Kreuder's new Exim4U user interface demo at: http://s1.gl/exim4ui It's a work in process and we would like to hear comments. Personally, I have been very impressed with Mika's work and Mika has graciously agreed to become the Lead Developer for the Exim4U project going forward as he completes this new user interface. We hope to have a new Exim4U release sometimes later this year but it could fall over to early 2014 according to how ambitious that we get and how much time that we have to devote to the project. The new release will include the new UI as well as some other improvements such as discarding the plain text passwords. The new UI will require php 5.3+ so, for some period of time going forward, we plan to also package the legacy Exim4U interface for installations whose older php versions do not support the new interface. We also plan to consolidate our development repositories to GitHub. I want to especially thank Mika for his contributions to the project! Gordon On 07/18/2013 05:24 PM, mk(a)singular.de wrote:
Am 18.07.13 23:04, schrieb Odhiambo Washington:
I believe that should be the way. If someone forgets their password, change it to something, then ask them to immediately change it something stronger. I wish there was a way to enforce strong passwords. I've seen some users set theirs to 123456 and somehow spammers get that and being to use your server as open relay! you could always do that with a bit of javascript. at least reasonable quality passwords.
I hope I'm not giving away too much by pointing to my WIP project @ http://s1.gl/exim4ui (it's pre-alpha - dont ask :)
If you login here and create/edit an account you see what I mean. The confirm password box will only show up if there's a reasonable complex password.
I think we're in the same boat. I'm glad I have the option to look up a user's pw in the db. Because they tend to forget their password once they've setup their mail clients and (I'm speaking for myself here) then it's 'my job' to recover it. I'm all in favour of dumping plaintext passwords but I think then we need some kind of password forgotten function.
On 18 July 2013 23:53, <gecko(a)exim4u.org> wrote:
Hi Odhiambo,
Thanks for the info!
Let's drop that field from the DB and any php code that stores it. I agree. Currently, the domain admins can reset any user's password. Is that adequate for the cases where the users forget?
Thanks,
Gordon
On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
Hi Godron,
I am using Dovecot (2.2.4) with MySQL.
In my dovecot-sql.conf, I have:
default_pass_scheme = MD5-CRYPT password_query = SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id
And I have authentication working well.
I therefore have no need for the cleartext field in the DB except that I've graciously used it to tell users what their passwd is when they forget - which I don't think pleases them though, because they then fail to use strong passwords, as they will be 'known':)
Let's drop that field from the DB and any php code that stores it.
On 18 July 2013 20:55, <gecko(a)exim4u.org> wrote:
Hi Odhiambo,
Sorry for not replying back to you sooner. I've been away on vacation for several weeks and just got back home.
The cleartext password dates back to the original Vexim code as Avleen Vig recently stated on the Vexim Mailing list:
"Indeed. The storage of the 'clear' field was something one company requested way back in 2003 I think. In hindsight it was a *terrible* idea, but I was young and naive at the time."
See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
In any event, I agree with you and Avleen that we need to get rid of the cleartext password. Have you achieved any progress using crypt with dovecot? Here is a "Howto" on disabling saving of passwords in clear text with Vexim:
http://axel.sjostedt.no/misc/dev/vexim-customizations/
But the referenced IMAP client is Courier instead of Dovecot. Nevertheless, it shouldn't be that hard with Dovecot. FWIW, I intend to fix this issue in a future release of Exim4U so that the passwords are not stored in plain text. Please let me know if you have made any progress here and, if so, would you please share your work? I would prefer not to reinvent the wheel if it isn't necessary.
Thanks,
Gordon
On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
Someone please remind me why we authenticate users using cleartext passwords with exim4u.
Why are we not using the crypt field? Anyone using crypt, please share dovecot-sql.conf, please.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users