Request for plain-text passwords in database

I see that by default the passwords in ispconfig are stored in crypt-md5 format in the database.

My concern is mainly for mail passwords.

The crypt-md5 requires that the password is sent in clear over the line, and this means relying on other layers of protection (ssl/tls).

In many cases, the users are "ignorant" and thus they use plain text passwords over unencrypted channels. This being airport wifi hotspots, rogue links etc etc.

It would be wise to allow for plain-text storage of passwords in the database, and the use of challenge-response authentication mechanisms (like cram-md5 etc), as used in most newer protocols (voip for example).

IMHO it's more likely to have passwords stolen from the line, rather having a server hacked and passwords stolen from there.

Is there a way to configure ispconfig to store the plain passwords instead of the crypted ones?

 

I understand your point... which is higly respected, but opinable.

The issue is:

1. it is impossible to force people to use TLS because it not commonly supported by all clients, and because it causes issues with shared hosting SSL certificates (there is no way to create a wildcard certificate for every mail.domain.ext customer domain).

2. It is much more likely that a password is stolen from the air/line than for an attacker to hack into a server and steal all passwords. Basically, you're giving plain text passwords, many times a day for every account on the system, and there are thousands in my case. You can easily calculate the probability for one password being stolen, per day and then used to spam the world.

3. Point 2 is particularly a problem with hosting business sites for people traveling in the eastern part of the world (like most tech companies which are our usual customers). There is issue with mobile phones connecting to open-air wifi points. Configuring these phones to accept "any tls certificate" is the only solution, but this only gives FALSE sense of security, as a MIM attack cannot be detected (the phone will accept any forged cert you give it).

4. It is ultimately a decision to be made by the system administrator and there is no one size fits all (this is precisely what I like with ispconfig: flexibility).

Any chance to review the official position on this? Would you accept patches against ispconfig ?

 

The unevitable starts to happen. I migrated a small batch of 450 account to ispconfig on a small two server cluster.

After 3 days of operation, 2 accounts have been already hacked in and used to spam. These accounts had good passwords (10 letters+numbers) and have been safe for the last 4-5 years.

The servers are safe with encrypted password, but users are giving them in plain text to the world every time they check their mail. This cannot be true.

I am in a multi-server, multi-seller, multi-branded environment, where each reseller uses my system with their own name and resells it to their customers.

I cannot reveal the name of the hosting company to the end customers by forcing them to connect via ssl to a server named after the hosting company which is different to the company that sells them the service.

I don't know how to make this more clear.... plain passwords are very bad over the internet. period. Can we fix this is ispconfig?

EDIT: Pls. correct me if I'm wrong: All this boils down to personal preference, and to changing the mail_user_password.tform.php form (a single line change to set the encryption of the password field), and then allowing dovecot/postfix/courier etc to use the cram-md5 in addition to plain auth.