first of all: Thanks for the amazing piece of software you are building with nextcloud!
I’m setting up a bunch of web services for a small institution. We have our Emails hosted by a provider, who doesn’t offer any advanced user administration tools, A website with a password protected area and now I’m setting up a nextcloud for the same user base. Because of the limited user management of the email-provider, I’m using imap-authentication for the website and nextcloud, which is working pretty well.
I have been experimenting with the wabmail apps for nextcloud : mail and rainloop. Looking a bit deeper on how the authentication to the mail services work, i found out, that in both cases, the login-password of the useres are stored in the database, which in my opinion implies a severe security issue!
The rainloop app encrypts the password using a the depracted mcrypt_encrypt - php-function. The password is encrypted using the email-adress as key, which really is sort of equivalent to storing the password in plain text.
The mail app uses nextcloud internal encryption method, which feels a bit better, as it shouldn’t rely on depracted encryption methods. But the main problem is the same as on rainllop: that the Password is decryptable by anyone that knows the nextcloud secrets to encrypt the password, so by anyone under control of the nextcloud installation.
The point of the decryptable passwords stored in the databes renders the apps unusable for me, because I don’t want an access to the email-passwords of my useres, thats why I’m relying on the password management of the email provider.
As the users authenticate providing the email password at login-time, isn’t there a way to keep this password in the with the session data and use it to login to the email-services when needed, without storing it in the database? or encrypt the password in such a way, that it’s not decryptable ba other people?
@afromm I was searching for exactly this information, but could not find where are the passwords saved for/by rainloop. May you tell me where they are stored exactly (MySQL-DB, Path)?
Update: Passwords are stored in the Nextcloud DB you will find them with the following SQL-Query: select * from oc_preferences where configkey = 'rainloop-password'
If it is like this it would be a real security issue.
From my point of view the passwords for the mail accounts should be encrypted with the nextcloud-account-password therefore only the user itself is able to decrypt it at login time. At the same time the mail account password must be encrypted with a secure session key. The encrypted password could be stored temporary for the time of the nextcloud session.
A setting to force users to use Two-Factor-Auth on using rainloop would also be nice feature.
That’s the way i think it should be done too. Inspecting the code of the app unfortunately told another story. I think, it should clearly be told on the description of the app, that the passwords are safed in a decryptable way in the database, so everybody can decide if the app is usable on the own environment. If I install nextcloud, say at home, on my own server and just me and my family is using the mail app, it could be all right to save the passwords in the database, but on a webhosting environment or if a have other users i could get severe troubles if i potentially save their email passwords.
So please: Put a clear notice on this topic in the app description!
… and maybe someone can implement a correct way to handle the password.
As I use imap authentication, the email account password is already given at login time, so probably it could it would be sufficient to store the password or keep the connection to the imap server that is established to authenticate the user!
Keep in mind that all the contact and calendar entries are open to read in the database as well … encryption really works for files only at this time. Has been a reason for my clients to use an enterprise ready groupware instead of the apps.
That is one thing that has to be considered when choosing the platform and finally depends on the security needs for the data that will be kept. Another thing is to save the passwords of the email accounts of the users in a way, that anybody with access to the database can read them.