[dev] Fetch Mail for IMP

Eric Rostetter eric.rostetter@physics.utexas.edu
Wed, 22 May 2002 17:33:08 -0500


Quoting Edwin Culp <eculp@encontacto.net>:

> | First, I don't like the idea of storing passwords.  I know, every user
> | will want this.  I don't like it.  I wouldn't put it in the code.
> 
> I don't see this as a big issue as long as the directory isn't accessable.
> The courier webadmin password is stored in a text file :-), Mozilla stores
> passwords, etc.

It would be stored as a preference in whatever storage the installation uses
for preferences.  That storage may or may not be secure, depending on the
skill of the admin, people who wrote the storage programs, etc.  But that
isn't really my main issue, I don't like that it is stored at all.

I don't use courier, so that isn't an issue.  I don't *ever* let my web
browsers save my passwords.  I don't ever let MS Windows save my passwords.
I don't ever let password authenticate me.  You may allow all this.  I don't.

As I stated, most users will ask for this (to have their passwords saved).
I know this from experience.  As a sysadmin, I will tell them no.  If the
fetchmail code allows it, I'll probably disable it for my site...

In Horde/IMP passwords are stored encrypted.  But the level of 
encryption depends on what php modules are installed, so security varies
by site.  Even then it appears that Horde/IMP/etc try to avoid saving any
passwords when possible.  Obviously they can't avoid it all together (since
you don't want to ask for a password everytime it checks for mail, and 
multiple times for each check at that), but they do the best they can.  
 
In the case of fetchmail, I think that it can be avoided.  We don't fetch
the mail (since it is a manual operation anyway) that often, so it isn't
a problem to enter the password when we do.  Since I feel it can be avoided,
I think it should be avoided.

But then, others will surely disagree with me.

Still appreciate the work/effort put into it, and await its release, as
it will no doubt be a wonderful addition to Horde/IMP.

-- 
Eric Rostetter
eric.rostetter@physics.utexas.edu

Hey Rocky!  Watch me pull a rabbit from my hat!