[pskmail] Testing session authorization on pskmail 1.2.1

  • From: "Rein Couperus" <rein@xxxxxxxxxxxx>
  • To: pskmail@xxxxxxxxxxxxx
  • Date: Fri, 22 Jul 2011 12:01:44 +0200 (CEST)

The present client/server (< 1.2.x) does not use any session authorization.
The server uses a database to store your mail data, viz. pop server, userid and 
pop password.
This is done so the client does not have to send this data before every 
session, 
which saves bandwidth on the link.

This means that in principle anyone can read your mail just by (mis)using your 
CALL.

PSKmail 1.2.x uses a fairly short session password to prevent this. The 
password can be set 
using the client, and transfer of passwords uses fairly strong encryption on 
the link.

PSKmail 1.2.x is backward compatible to older versions of server and client, so 
that 
migration should be no problem. Authorization is OFF by default, and is 
activated 
by sending a password to the server. This works only when the server has 
a valid mail record for the user. If a mail record is not available, 
authorization is 
useless anyway. When authorization is active, all mail related services 
are protected.

To set your mail record, enter your data into the preferences form and send it 
to the 
server with 'update server' (ctrl-u).  After the server has updated the mail 
record,
you can send a session password to the server with ':SETPASSWORD'.
You only have to do this 1x.
It is advisable to set at least a return address, otherwise sending APRS email 
will not work.

For server ops:
The passwords are now encrypted in the database, they can only be set by the 
client.
It is possible to reset the session password by setting 'findupassword' to 
'none', 
which switches off authorization, so that the client can reset the passwords.

Link encryption uses the Diffie-Hellman encryption scheme, which creates new 
secrets for every new session. An evesdropper can not recover the passwords.

Mail up- and downloads are NOT encrypted, only compressed!

The new features open up possibilities for other authorization schemes like 
twitter or google+ in future.

The software can be downloaded from http://pskmail.org/PSKMaildownloads.html 
(alpha).

Happy testing,

73 Rein PA0R

--
http://pa0r.blogspirit.com

Other related posts:

  • » [pskmail] Testing session authorization on pskmail 1.2.1 - Rein Couperus
  1. Home
  2. pskmail
  3. Archive
  4. 07-2011