[dev] Fetch Mail for IMP
Edwin Culp
eculp@encontacto.net
Wed, 22 May 2002 15:46:49 -0700
Quoting Eric Rostetter <eric.rostetter@physics.utexas.edu>:
| Quoting Edwin Culp <eculp@encontacto.net>:
|
| > | First, I don't like the idea of storing passwords. I know, every user
| > | will want this. I don't like it. I wouldn't put it in the code.
| >
| > I don't see this as a big issue as long as the directory isn't accessable.
| > The courier webadmin password is stored in a text file :-), Mozilla stores
| > passwords, etc.
|
| It would be stored as a preference in whatever storage the installation uses
| for preferences. That storage may or may not be secure, depending on the
| skill of the admin, people who wrote the storage programs, etc. But that
| isn't really my main issue, I don't like that it is stored at all.
|
| I don't use courier, so that isn't an issue. I don't *ever* let my web
| browsers save my passwords. I don't ever let MS Windows save my passwords.
| I don't ever let password authenticate me. You may allow all this. I
| don't.
|
| As I stated, most users will ask for this (to have their passwords saved).
| I know this from experience. As a sysadmin, I will tell them no. If the
| fetchmail code allows it, I'll probably disable it for my site...
|
| In Horde/IMP passwords are stored encrypted. But the level of
| encryption depends on what php modules are installed, so security varies
| by site. Even then it appears that Horde/IMP/etc try to avoid saving any
| passwords when possible. Obviously they can't avoid it all together (since
| you don't want to ask for a password everytime it checks for mail, and
| multiple times for each check at that), but they do the best they can.
|
| In the case of fetchmail, I think that it can be avoided. We don't fetch
| the mail (since it is a manual operation anyway) that often, so it isn't
| a problem to enter the password when we do. Since I feel it can be avoided,
| I think it should be avoided.
|
| But then, others will surely disagree with me.
Eric,
I agree totally with everything you say, especially on the skill and
experience of the admin and the storage methods and agree that it should
probably be optional and disabled by default but I certainly wouldn't
want this to slow down a "head" commit of Fetch Mail for IMP. :-)
Have a great day,
ed
|
| Still appreciate the work/effort put into it, and await its release, as
| it will no doubt be a wonderful addition to Horde/IMP.
|
| --
| Eric Rostetter
| eric.rostetter@physics.utexas.edu
|
| Hey Rocky! Watch me pull a rabbit from my hat!
|
-----------------------------------------------------------------------
The illiterate of the 21st century will not be
those who cannot read and write,
but those who cannot learn, unlearn and relearn.
--Alvin Toffler
-------------------------------------------------------------
http://insourcery.com - Mergence of Business and Technology
a "Griffin Plaza Partners, LLC" Company