Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Courier & Exim: Logging Passwords

Discussion in 'General Discussion' started by interactive, Aug 20, 2006.

  1. interactive

    interactive Registered

    Joined:
    Nov 29, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Souther Arizona
    Hello,
    Kind of an odd request, but we're planning on migrating our mailserver. As part of this process we have to convert all mail user's passwords. We could run L0ptCrack to jam out the roughly 3,100 mailboxes, but this would take quite a while.

    However, after doing some testing I discovered that with Courier & Exim (on a differently configured non-CPanel server), you can turn up the logging levels. So I've changed /etc/syslog.conf from mail.info to mail.debug and it works perfectly. User's passwords are logged in clear text.

    Here's the configuration section that I have working on a non-CPanel server and it logs passwords in clear text perfectly:
    Code:
    cram:
      driver = cram_md5
      public_name = CRAM-MD5       
      server_advertise_condition = *
      server_secret = ${lookup mysql{SELECT userClearPassword FROM mailUsers WHERE userEmailAddress = '${quote_mysql:$1}'}{$value}fail}
      server_set_id = $1      
    
    Obviously we already have the passwords stored in clear text, but there's gotta be a way to where we can get this to work.

    Here's the configuration from our CPanel server:

    Code:
    
    fixed_plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    server_condition = "${perl{checkuserpass}{$1}{$2}{$3}}"
    server_set_id = $2
    
    fixed_login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = "${perl{checkuserpass}{$1}{$2}}"
    server_set_id = $1
    
    I'm hesitant to modify the configuration for the CPanel server because I obviously don't want to prevent user's from checking their e-mail.

    As a last resort, is there anyway I could modify the $perl{checkuserpass} to get it to possible log all of the converted passwords? Then I could do just a dictionary brute force on our mail users.

    Thanks, any insight would be greatly appreciate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. interactive

    interactive Registered

    Joined:
    Nov 29, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Souther Arizona
    Anyone have any suggestions on this?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice