View Single Post
  #3  
Old 29th March 2007, 11:09
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by till
Where is the security problem here? The email log does normally not store any passwords and you may use email over SSL and FTP over SSL or SCP if you want. Also you dont have to use the admin user for email if you want to have this separated.
1) i do not mean the log. i mean the data send over "the wire". this data contains the username and the pwd used.
2) you CAN use email over SSL but if you do this you
a) need to know this (ask the admins of the server how many know this)
b) need a SSL-certificate for each "mail-server" (normally every admin uses mail.<domain> means mail.muv.com, mail.ispconfig.org and so on...
so i don't think, many admins use email over SSL
3) you don't have to use the admin user for the email but you can (and one again, i don't think, that many server-admins realize this problem!

so what i want to say is:
i know, that you have the possibility to make the server secure with ispconfig but i don't think, that many server-admins REALIZE this security hole and so uses this config and this means that their servers can easily be hacked!
if you have "virtual" users -> one for ftp one for email and so on, than this is more secure because knowing the email pwd means NOT knowing the FPT-pwd! (and vice versa)

i hope it is now easier to understand what mean.

if not, please ask again!

Olli
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote