Chat - Clear text authentication

Problem reported by Nicolas Le Merle - 10/20/2014 at 1:43 AM

Resolved

Hi Guys,

Iv just upgraded to SM Enterprise and upon testing the chat feature iv noticed in the "XMPP Logs" its passing through usernames and password in clear text.

This seems rather concerning to me. Has anyone else noticed this and maybe have an explanation ?

Cheers,

Nic

14 Replies

Reply to Thread

Bruce Barnes Replied

10/20/2014 at 9:31 AM

What version of SmarterMail are you running? I believe this was addressed in SmarterMail version 12.X

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Nicolas Le Merle Replied

10/20/2014 at 11:38 AM

Hi Bruce, SmarterMail Enterprise 12.4

Bruce Barnes Replied

10/20/2014 at 1:22 PM

I stand corrected. I had thought this had been corrected but it has not. I just tested from my Android handset, using IP Pro + and then checked the logs. Here is what I found:

><username>bREDACTED</username><password>shown_as_plain_text</password>

Nicolas Le Merle Replied

10/21/2014 at 3:13 AM

Yup! Hmm, what now O_o ? Is that raw XML leaving the server or is it just getting processed internally ? Should we be disabling the chat feature until SmarterTools look into encrypting the logs ?

Bruce Barnes Replied

10/21/2014 at 4:49 AM

The XMPP (chat) log file is not an XML file, but a plain text file, stored in the SmarterMail logs area.

Under normal circumstances, on a properly configured and secured server, this file should not be accessible, via a SmarterMail login, to anyone who does not have the SmarterMail ADMIN level access. That means that ANY TOP LEVEL SMARTERMAIL ADMIN use can see the file - so be very careful about who you give top level admin level access to, and make certain you assign them a UNIQUE ADMIN USERNAME so whatever they do is logged.

The file is also available to ANYONE who has "desktop" or remote access to files on the server which hosts SmarterMail.

To borrow from the consumer phrase, "caveat emptor" (buyer beware), let's create our own network security phrase: "vestibulum auctor cave" which translates to "server operator beware."

As the operators of any server, whether SmarterMail, IIS, or for whatever purpose the server is configured, until a solution is brought forth, we must do the best we can to protect the XMPP logs, and for that matter, any other logs and files, which might contain sensitive data from access by any outside individual, worm, virus, or other force who might want to gain access.

Based on the fact that, unless proven otherwise, this includes anyone with access to a computer, lock it down.

Employee Replied

10/21/2014 at 3:14 PM

Employee Post

Nicolas/Bruce, you are correct in that SmarterMail currently does not support TLS with the XMPP. This is a known issue and is currently being addressed. The TLS update to XMPP will be included in a future release. To facilitate this issue, I am changing this thread from question to problem and setting it to "Being Fixed."

Steve Reid Replied

10/22/2014 at 5:47 AM

Are the passwords going to be encrypted?

Bruce Barnes Replied

10/22/2014 at 5:52 AM

Thank you, Steve, that was the whole basis for posting both the redacted log samples and the explanation!

Steve Reid Replied

10/22/2014 at 7:04 AM

Robert's reply seems OT... Nobody even mentioned TLS

Matt Petty Replied

11/5/2014 at 1:40 PM

Employee Post

With the release of Version 13 of SmarterMail we now have SASL authentication with digest methods to allow non-plaintext authentication. TLS/SSL support is added but is experimental.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com