[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Passwords

To: msmtp-users@lists.sourceforge.net
Subject: Re: [msmtp-users] Passwords
From: Robert Thorsby <robert@...93...>
Date: Sun, 28 Sep 2008 12:31:35 +1000
In-reply-to: <3646FEED-0311-4EB1-A35F-5963BFF59B3F@...167...> (from mfwitten@...166... on Sun Sep 28 11:44:33 2008)
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=msmtp-users>
List-help: <mailto:msmtp-users-request@lists.sourceforge.net?subject=help>
List-id: "General discussion, questions & answers" <msmtp-users.lists.sourceforge.net>
List-post: <mailto:msmtp-users@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/msmtp-users>, <mailto:msmtp-users-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/msmtp-users>, <mailto:msmtp-users-request@lists.sourceforge.net?subject=unsubscribe>
Reply-to: robert@...93...

On 28/09/08 11:44:33, Michael Witten wrote:
> I've noticed that many unix tools require that a user
> specify account passwords in config files.
> 
> To me, this seems like a terrible idea, and indeed
> msmtp at least prompts for a password when it needs
> one.
> 
> However, what if I don't want msmtp to prompt me? For
> instance, it seems reasonable to me that someone might
> like to create a higher-level program that uses msmtp
> to do the grunt work; in many cases, that higher-level
> program might like to manage the password in its own
> way.
> 
> Sure it's possible that this higher-level program
> could provide that password via stdin, but that
> seems like a flaky endeavor.
> 
> In short,
> 
> 	Why are passwords dealt with in the way that
> 	they are?
> 
> 	Is it dangerous to provide an option such as
> 	--password?
> 
> 	Is it reasonable to use stdin?
> 
> 	Why are so many people willing to write their
> 	passwords in config files?

The use of passwords (in contradistinction to the use of more secure 
methods of authentication) is largely a matter of the MX setup of one's 
ISP, and mere account-holders often have little say in the matter.

For reasons that are not here germane, my ISP's MX server *requires* 
password authentication. I therefore *am obliged* to provide a 
password.

I include my password in my msmtp config file because my computer is 
physically isolated and behind a firewall, giving me both LAN and 
Internet security -- if my email password is compromised then, quite 
frankly, I have more important things to worry about than whether my 
email account will be used as a spambot.

However, having said that, I occasionally use msmtp in a script. In 
such cases I create a file for the nonce, give the file minimal 
permissions, add my ad hoc config parameters (including password) to 
it, then nuke it immediately it is no longer required. I prefer this to 
stdin because stdin will be converted into an argument when invoking 
msmtp -- since one of my scripts involves large mime attachments it 
means that the arguments to mime will be visible for a considerable 
time to anyone who runs ps. In my opinion, a password en clair is less 
vulnerable in a short-lived file than as an argument to a relatively 
long-running instance of msmtp.

Robert Thorsby
To be or not to be. -- Shakespeare
To do is to be. -- Nietzsche
To be is to do. -- Sartre
Do be do be do. -- Sinatra

References:
- [msmtp-users] Passwords
  - From: Michael Witten <mfwitten@...166...>

Prev by Date: [msmtp-users] Passwords
Next by Date: Re: [msmtp-users] Passwords
Previous by thread: [msmtp-users] Passwords
Next by thread: Re: [msmtp-users] Passwords
Index(es):
- Date
- Thread