Chat - Clear text authentication
Problem reported by Nicolas Le Merle - October 20, 2014 at 1:43 AM
Resolved
Hi Guys,
 
Iv just upgraded to SM Enterprise and upon testing the chat feature iv noticed in the "XMPP Logs" its passing through usernames and password in clear text.
 
This seems rather concerning to me. Has anyone else noticed this and maybe have an explanation ?

Cheers,
Nic

14 Replies

Reply to Thread
0
Bruce Barnes Replied
What version of SmarterMail are you running?  I believe this was addressed in SmarterMail version 12.X
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Nicolas Le Merle Replied
Hi Bruce, SmarterMail Enterprise 12.4
0
Bruce Barnes Replied
I stand corrected. I had thought this had been corrected but it has not. I just tested from my Android handset, using IP Pro + and then checked the logs. Here is what I found:

><username>bREDACTED</username><password>shown_as_plain_text</password>

Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Nicolas Le Merle Replied
Yup! Hmm, what now O_o ? Is that raw XML leaving the server or is it just getting processed internally ? Should we be disabling the chat feature until SmarterTools look into encrypting the logs ?
0
Bruce Barnes Replied
The XMPP (chat) log file is not an XML file, but a plain text file, stored in the SmarterMail logs area.

Under normal circumstances, on a properly configured and secured server, this file should not be accessible, via a SmarterMail login, to anyone who does not have the SmarterMail ADMIN level access. That means that ANY TOP LEVEL SMARTERMAIL ADMIN use can see the file - so be very careful about who you give top level admin level access to, and make certain you assign them a UNIQUE ADMIN USERNAME so whatever they do is logged.

The file is also available to ANYONE who has "desktop" or remote access to files on the server which hosts SmarterMail.

To borrow from the consumer phrase, "caveat emptor" (buyer beware), let's create our own network security phrase: "vestibulum auctor cave" which translates to "server operator beware."

As the operators of any server, whether SmarterMail, IIS, or for whatever purpose the server is configured, until a solution is brought forth, we must do the best we can to protect the XMPP logs, and for that matter, any other logs and files, which might contain sensitive data from access by any outside individual, worm, virus, or other force who might want to gain access.

Based on the fact that, unless proven otherwise, this includes anyone with access to a computer, lock it down.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Robert Emmett Replied
Employee Post
Nicolas/Bruce, you are correct in that SmarterMail currently does not support TLS with the XMPP.  This is a known issue and is currently being addressed.  The TLS update to XMPP will be included in a future release.  To facilitate this issue, I am changing this thread from question to problem and setting it to "Being Fixed."
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Steve Reid Replied
Are the passwords going to be encrypted?
0
Bruce Barnes Replied
Thank you, Steve, that was the whole basis for posting both the redacted log samples and the explanation!
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
Robert's reply seems OT... Nobody even mentioned TLS
2
Matt Petty Replied
Employee Post
With the release of Version 13 of SmarterMail we now have SASL authentication with digest methods to allow non-plaintext authentication. TLS/SSL support is added but is experimental.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Bruce Barnes Replied
Thanks for the update, Matt -

Looking forward to checking this out and playing with the TLS portion of it.  
 
As an FYI, Microsoft is officially sunsetting all SSL on 1 December, 2014, per their announcement in Redmond Magazine:
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Shawn Clifford Replied
Matt, please point me to documentation to try TLS/SSL. This is a requirement for my environment (no clear text passwords).
0
Matt Petty Replied
Employee Post
http://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx Follow this guide, the port for XMPP is 5222.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
jev.sapasap Replied
Hi,
 
We are using SM16.
How can I Disable cleartext authentication mechanisms in the XMPP configuration.

Reply to Thread