Announcement

Collapse
No announcement yet.

Security for MvPOP and MvSMTP?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security for MvPOP and MvSMTP?

    Hi folks,

    I'm working on a module that will do some management of email via MvPOP and MvSMTP. I haven't used these in some years, and I know that email security standards have gotten stricter since then. I'm looking for some information on how to make the module secure.

    The LSK contains an example of how to use an encrypted password with MvSMTP; and in fact, I'll probably use the SendEmail() library function for all my outgoing mail, so that takes care of that part of it ... although from a quick look I'm not entirely sure whether this is actually in use in my store. And there aren't any examples of MvPOP in the LSK, or anywhere in Merchant that I know of. How should I set this up? Is there documentation? It looks like I could copy the password-handling part from the LSK, if it's the same for MvPOP as it is for MvSMTP; will that work?

    Thanks --
    Kent Multer
    Magic Metal Productions
    http://TheMagicM.com
    * Web developer/designer
    * E-commerce and Miva
    * Author, The Official Miva Web Scripting Book -- available on-line:
    http://www.amazon.com/exec/obidos/IS...icmetalproducA

    #2
    For our servers, you'd want MvSMTP talking to port 587 and you'll need to set the FLAGS argument 'starttls', but otherwise, it should work like you've used in the past with a connection to localhost and no auth.

    For MvPOP, unfortunately it does not currently support encrypted connections. There's never been very widespread use of that function so it hasn't received a high priority for that feature addition. On our servers specifically, if you connect to localhost, you should be able to use unencrypted POP3 as it's still enabled on the localhost interface, just not on the public-facing interfaces/addresses.
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #3
      Hi David, thanks for the info.

      MvPOP requires a password. Is there a way to encrypt that before I save it with the module's other admin settings? I suppose I can use something like Blowffish, or some other type of reversible scrambling. The key would have to be included in the .mvc file, but that's secure against most types of hackers.

      As I mentioned, the SendEmail() library function seems to use an encrypted password. But the code that encrypts and stores the password is in admin.mv, and the LSK doesn't include that. There seem to be a few different types of encryption used in the store, and some of them can be decrypted without a passphrase. Can I get a code snippet that will fill in the missing info?

      Thanks --
      Kent Multer
      Magic Metal Productions
      http://TheMagicM.com
      * Web developer/designer
      * E-commerce and Miva
      * Author, The Official Miva Web Scripting Book -- available on-line:
      http://www.amazon.com/exec/obidos/IS...icmetalproducA

      Comment


        #4
        If this is a one-off module, or would be customized on a per-user basis, then having the pass phrase in the mvc file is probably fine, and more secure than storing it elsewhere such as mivadata or database. Alternatively, you could use something like the store's license key as the pass phrase if you wanted something store-specific but didn't want to re-code the module for each store that uses it; the encrypted text could only be decrypted by someone who knew the data plus the store license, which, is probably only going to be someone who already has access to the everything anyway.

        I'd probably use the openssl functions instead of blowfish.
        David Hubbard
        CIO
        Miva
        [email protected]
        http://www.miva.com

        Comment


          #5
          I don't intend to hard-code the password; sorry if I was unclear. I intend to use some kind of encryption or scrambling on the password before saving it in the DB with the other admin settings. But I don't want the user to have to to enter some other, secondary password to decrypt the real password, every time they want to send or receive email.

          As an example of a simple homegrown encryption algorithm, I could base64-encode the password, strip off any trailing equal signs, reverse the order of the characters, add some random characters at the beginning and end, and then append equal signs if needed to make a valid base64 string. It's easy to do, and easy to un-do. And the only way to hack it is to find out how the algorithm works, either by decompiling the .mvc file, or by stealing a copy of the source code. The hacker would need some pretty specialized computer skills, as well as access to the files and DB.

          But I prefer to use Miva library functions instead of writing code from scratch. Looking at the LSK, it seems that the SendEmail() library function works this way -- except with a better algorithm, of course. It calls a function named Decrypt_Payment_Password, which seems to be able to do what I need: decrypt something without manual intervention. But a lot of the encryption code isn't included in the LSK. I can't tell how to encrypt and save a password so that this function will be able to decrypt it.

          That's my question, boiled down to one sentence: how can I use built-in functions to encrypt and decrypt a piece of text without requiring the user to enter a passphrase every time?

          Thanks again --
          Kent Multer
          Magic Metal Productions
          http://TheMagicM.com
          * Web developer/designer
          * E-commerce and Miva
          * Author, The Official Miva Web Scripting Book -- available on-line:
          http://www.amazon.com/exec/obidos/IS...icmetalproducA

          Comment


            #6
            Right, that's what I meant by storing the pass phrase. If you use the built-in encryption functions, either the blowfish set, or the openssl set, a pass phrase is needed to use the encrypt/decrypt functions. That pass phrase does not have to be something the customer ever sees or enters; it can be stored in the compiled mivascript file. That would allow you to use the standard functions rather than something proprietary to try and accomplish a reasonably encrypted result that you can still decrypt. If this is a one-off, then hard coding a pass phrase of your choice in the mvc is fine, but if this is something to sell, you could use a value that is unique to a given store, such as the license key, as the pass phrase. Then what's in the database is secure from someone eavesdropping on it, but the module remains portable and you don't have a version for each site that uses it, or the same pass phrase for every site that uses it.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


              #7
              It may not be a good idea discussing security specifics in a public forum.
              Thank you, Bill Davis

              Comment


                #8
                I don't think this is particularly sensitive; someone would have to gain access to a person's store admin area as an admin, as well as their control panel, and their store database, just to get the content they could then use to decrypt the password for an email account. If they've already gained that level of access to a given store, and the database, there are worse things they would be able to do, but could also simply change the password to the email account in question rather than spending time trying to decrypt its old password, but either option would be on the table.
                David Hubbard
                CIO
                Miva
                [email protected]
                http://www.miva.com

                Comment


                  #9
                  If all the decryption schemes require a password of some sort, then I guess that the built-in function Decrypt_Payment_Password() must use a password that's hidden away somewhere in Merchant. There's probably a matching Encrypt_Payment_Password() function in the store that uses the same password. So if I had the code, or even just the call format, for that function, I could use both of them for my purposes, instead of having to write my own code. Can I get that info please? Or is that something that you folks want to keep confidential?

                  Thanks for your help --
                  Kent Multer
                  Magic Metal Productions
                  http://TheMagicM.com
                  * Web developer/designer
                  * E-commerce and Miva
                  * Author, The Official Miva Web Scripting Book -- available on-line:
                  http://www.amazon.com/exec/obidos/IS...icmetalproducA

                  Comment


                    #10
                    Payment data can only be decrypted by a store administrator entering the encryption pass phrase; that isn't information Merchant knows. For customers using subscriptions, that's implemented via MivaPay where we're storing the card numbers on our side and the stores themselves just have tokens that interface with MivaPay, so there's no decryption of payment info happening on the store side.

                    I'll see if I can find some code examples of general encryption/decryption of data.
                    David Hubbard
                    CIO
                    Miva
                    [email protected]
                    http://www.miva.com

                    Comment


                      #11
                      As far as I can tell from the LSK, the library function that I mentioned is used for sending many kinds of emails throughout the store, including the notifications that go out every time a customer completes an order. Obviously no one is typing in a passphrase at that time. That's why I think there must be a type of encryption in use that may not be as strong as what's used for payment data, but is still pretty strong, and can be decrypted without a password, or by using a password that is "buried" somewhere in the store code.

                      Thanks --
                      Kent Multer
                      Magic Metal Productions
                      http://TheMagicM.com
                      * Web developer/designer
                      * E-commerce and Miva
                      * Author, The Official Miva Web Scripting Book -- available on-line:
                      http://www.amazon.com/exec/obidos/IS...icmetalproducA

                      Comment


                        #12
                        I'm not sure what data you mean; what information have you found that is encrypted in the database yet sent in email as text?
                        David Hubbard
                        CIO
                        Miva
                        [email protected]
                        http://www.miva.com

                        Comment


                          #13
                          There is a function in util.mv (util_public.mv in the LSK) named v9_SendEmail, which is used in many places throughout the store, including the Template-based Emails module. Early in that function, along with the other initialization code, is this line:
                          Code:
                          <MvASSIGN NAME = "l.password"  VALUE = "{ [ g.Library_Filename_Crypto ].Decrypt_Payment_Password( g.Domain:mailpass ) }">
                          Can a module use this function to decrypt its own data? If so, I'd like to know the details of the Encrypt_PaymentPassword() function, or whatever the name might be, that is used with it.

                          Thanks --
                          Kent Multer
                          Magic Metal Productions
                          http://TheMagicM.com
                          * Web developer/designer
                          * E-commerce and Miva
                          * Author, The Official Miva Web Scripting Book -- available on-line:
                          http://www.amazon.com/exec/obidos/IS...icmetalproducA

                          Comment

                          Working...
                          X