On 07/26/2015 09:37 AM, Carlos E. R. wrote: .
Fetchmail stores the passwords in a plain text file, which is only protected by the Linux user password while the system is running. A laptop can be stolen and the passwords simple read from the disk.
The 'inventor' of fetchmail says <quote src="http://www.catb.org/esr/writings/homesteading/cathedral-bazaar/ar01s09.html"> Another lesson is about security by obscurity. Some fetchmail users asked me to change the software to store passwords encrypted in the rc file, so snoopers wouldn't be able to casually see them. I didn't do it, because this doesn't actually add protection. Anyone who's acquired permissions to read your rc file will be able to run fetchmail as you anyway—and if it's your password they're after, they'd be able to rip the necessary decoder out of the fetchmail code itself to get it. All .fetchmailrc password encryption would have done is give a false sense of security to people who don't think very hard. The general rule here is: 17. A security system is only as secure as its secret. Beware of pseudo-secrets. </quote> Well, yes, having .fetchmail on a encrypted partition is a second order pseudo-secret. When you are logged in and active that partition is "unlocked" so you can use it. Maybe you should be using getmail. After all, fetchmail has been beset by other security problems that indicate a lack of understanding of how to code in the mechanisms. http://www.fetchmail.info/security.html http://pyropus.ca/software/getmail/faq.html#faq-about-why I've given up on fetchmail and now use thunderbird's TLS. What? oh, right, that's another set of problems... Round and round we go ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org