2
SmaterMail 15.0 Professional - Can't View User Passwords
Question asked by Doreen Jones - 4/14/2016 at 2:48 PM
Answered
I just got 15.0 and can't view my user passwords.  Something about being in Authentication Mode whatever that is.  I have clients who routinely forget their passwords.  I'm in the process of setting up password retrieval on my system.  But meantime, did I lose the ability to see a user password?

20 Replies

Reply to Thread
2
Andrea Free Replied
Employee Post
Hi Doreen,
 
In version 15.x, the ability for a System Administrator to view a user's password has been removed. It has been replaced with the ability to create a temporary password to access the account. Please see this thread for more information: http://portal.smartertools.com/community/a87728/show-password-in-15_x.aspx
 
Thank you,
Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com
0
Doreen Jones Replied
Ok - thanks.
1
Gerry Dubois Replied
It sucks !
0
Connie DeCinko Replied
It's called security.
0
igorinuk Replied
You can still view the passwords using API and 3rd-party tools (for example HostsTools SmarterMail Password Recovery).
0
Matt Petty Replied
Employee Post
Our next update with reintroduce this to the interface. Our next update should be soon.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Matt Petty Replied
Employee Post Marked As Answer
Our next update will reintroduce this to the interface. Our next update should be soon.
 
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Gerry Dubois Replied
That is a very wise decision.
0
Andrea Free Replied
Employee Post
With today's minor of 15.x (15.2.6039) the Show Password option is back, albeit temporarily.
 

As per the release notes, it's a setting in the mailConfig.xml file. By default, the Show Password option is disabled (set to False), but you can simply edit the XML and change the field to True to have it displayed again. You'll want to edit the <allowViewingOfPasswords></allowViewingOfPasswords> row to activate the option. (Stop the SmarterMail service before editing system files.)

In case you upgrade but don't see the <allowViewingOfPasswords> field in the mailConfig.xml, close the file and log in to SmarterMail as a System Admin. Go to any Settings page in SmarterMail and simply save the page. This will write out a new mailConfig.xml file that will include the new field. 

 

Thanks,

Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com
2
Bruce Barnes Replied
SmarterMail caved: anyone enabling this feature violates HIPAA / HITECH and credit card security on thier SmarterMail server. Want truly secure hosting? We nake ZERO exceptions
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
2
Scarab Replied
I was okay with the Password Recovery options and not being able to view Passwords at all, but I was working under the assumption that was because Passwords in v15 were Salted & Hashed in accordance with Industry Standards and were not reversible.
 
Obfuscation through Obscurity is not really Security. As long as they could be recovered through third-party Apps using the API means it didn't really matter that they were hidden from System Admins or Domain Admins, as they were still recoverable in some form, and not really in compliance.
 
So, I for one, am at the same place I was before and after the change. I know that many people are happy about being able to set their Smartermail installation to allow Passwords to be revealed, but I would much rather have it to where Passwords couldn't be revealed by either Smartermail or through a third-party App using the API, where they were properly Salted & Hashed, and truly secure.
0
Patrick Jeski Replied
HIPAA doesn't apply to most people.
1
Bruce Barnes Replied
More than anyone might think! Just because you don’t originate a message, doesn't mean is,does not need to be HIPAA / HITECH / SARBANES OXLEY compliant if it so much as passes through a domain hosted on your server. Enforced TLS, DMARC, secure passwords, and the removal of the ability to prevent non TLS, non-encrypted data connections, help us prevent such non-compliant traffic from using our SmarterMail servers.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Linda Collins Replied
So then do not enable the feature if you need to be HIPAA compliant. The fact that the option is there does not break the compliance.
2
Bruce Barnes Replied
Linda; Meerly having the feature capable of being enabled causes any SmarterMail server to fail HIPAA / HITECH; SARBANES OXLEY, and Credit card compliance audits. They also want the ability to reverse engineer encrypted passwords disabled, and all data encrytped, bith at travel and rest, with read-only logs stored for a minimum of 60 months. We must also know WHERE the data is,stored at all times. We have several HIPAA / HITECH compliant accounts and have to regularly (at least annually) meet with them to show compliance. Everyone is,whether directory, or indirectly, responsible for being compliant, even if we don't directly host, or orginate compliance required data.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Connie DeCinko Replied
Bruce, Thank You for being a voice of reason in all this noise of "... now we have to actually do work..." I have said the same... with this feature enabled, I dare you to pass a security audit.
0
bob Replied
Was this removed again in yesterday's update?
0
Andrea Free Replied
Employee Post
Hi Bob. I upgraded my test installation to 15.3 and have confirmed this line in the MailConfig.xml file is still available. The default location of the file is Local Disk (C:)\ Program Files (x86) \ SmarterTools \ SmarterMail \ Service \ mailConfig.xml. If you don't see this line, please go to Settings as the System Admin and click Save in the toolbar.
Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com
0
bob Replied
I see the entry in the xml file and I have it set to True, but when I log in as administrator, I don't see where I can view the passwords. I stopped and started the SmarterMail service and IIS, but no view password button.
0
Andrea Free Replied
Employee Post
Can you confirm that you're logged in as the SYSTEM administrator? The Show Password option will only appear to System Admins impersonating the Domain Admin.

Log in as the System Admin, click on the Domains icon. Manage the domain and you'll impersonate the Domain Admin and be taken to the Users grid. When you edit the user, the option to Show Password should show in the toolbar.
Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com

Reply to Thread