Re: Encryption 101

This thread has raised a similar question for me. I fully agree that passwords should be encrypted in such a way so that not even "root" can decrypt them (easily, if at all). However, I have a situation that I haven't been able to figure out. I wrote an email client so that our remote users can use our exchange server through their ISP's (which many will not allow you to send mail unless it uses their server). In the main website, they are allowed to enter their username, email domain, and password so that they don't have to log in different times on the same site. I store this info in MySQL and then when they choose to run the email client they are automatically logged in. The main problem here is that I need to decrypt the password before sending it to the exchange server since it doesn't understand the encrypted one. I feel like this is a huge problem waiting to explode. Does anyone have any ideas on how this situation could be handled better?

Comment on Re: Encryption 101

Replies are listed 'Best First'.
Re: Re: Encryption 101 by waswas-fng (Curate) on Aug 01, 2003 at 15:46 UTC
It becomes easy when you make your employees use a VPN to access yor exchange server directly and have a smarthost mail server (sendmail, qmail, whatever that is set up secure) on a dmz that actualy is exposed to the internet at large. To the ISP the VPN traffic does not look like SMTP. You lose complexity and gain encrypted comunications. Also if you are just using imap/pop other systems (besides echange) can be set up with the imap/pop auth allowing inbound imap/pop connections. -Waswas	[reply]
Re: Re: Re: Encryption 101 by ChrisR (Hermit) on Aug 01, 2003 at 18:29 UTC
We are currently setting up CIPE to do just that. It seems to be working pretty well but we are still testing it. I was really curious though, if there was a viable solution in its current setup. Thanks for the reply.	[reply]