[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mutt or KMail

On Sun, Aug 25, 2002 at 4:32:45PM +0100, Karl E. Jorgensen wrote:

>> The one disadvantage I see from letting fetchmail retrieve is that
>> there doesn't seem to be a way for fetchmail to store email passwords 
>> on the computer using encryption.  Perhaps I am wrong (please tell 
>> me so) but unless you supply your password every time you check for mail,
>> passwords are kept in plain text.  
> !? What's the point of using encryption here? If the code is open
> source, then the algorithm cannot be secret; only the encryption key.
> Which leaves you with having to enter a decryption key. Back to square
> one.
>     http://www.tuxedo.org/~esr/fetchmail/design-notes.html
> [search for "password encryption"]
>> That may be fine if your mail account is the only one fetchmail will
>> retrieve mail for.  But if you have other users who don't want you to
>> know there password, you have a problem.
> c/there/their/ ?
> Problem is easily solved by:
>     chmod go-w ~
>     chmod go= ~/.fetchmailrc
> which is the way it should be IMHO.

No problem.  I agree with both you and Eric's ideas behind this.
However for me, that's not the issue.  There are end users
out there that don't want to put there passwords into an ascii file in
plain text.  With all due respect to ESR, the issue isn't whether
someone with root access can decode an encrypted password.  Many people
refuse to store passwords in plain text on there machine.  And they
refuse to accept the notion that it can't be encrypted when almost every
email program on the planet can store passwords encrypted, then
successfully decrypt and send them across a network to retrieve mail.  I
used to work for an ISP in Madison, WI and we didn't store user
passwords in plain text on our mail server.  It wasn't a matter of
efficiency.  It was 1) users wanted encryption. 2) If the mail server
was ever compromised, a lack of decryption would have made customer passwords
a little bit easier to collect. Our mailserver wasn't using fetchmail
in any way, and it wasn't compromised, but the point is the same.  

In my humble opinion, it is a feature that many people want.  Sometime
down the road, it is a feature that people will get -- if not in
fetchmail, then in some other program. 


Reply to: