Security Logon on OX
I want create an discussion about the security logon on OX Server.
With some software of hacking, on OX installation default, we can use force brute on all protocol : HTTP, POP3, SMTP, IMAP.
first idea :
- add certificate SSL for all protocol for encryption data
- add some lock policy
- add warning on OXADMIN (or all page administration web)
For certificate, It is simple : Buy and setup.
For lock policy, I can begin work on pam software. But I need information and council from OX Team Developer.
For warning, It will second taff after lock policy.
- long password
- duration password
Well, I suppose we can work on the HTTP side of things, because the authentication in POP3, SMTP and IMAP are all done by the subsystems (postfix, cyrus). The question is whether you can set up these subsystems to behave as you described.
The last two points would be enhancement requests, so could convince you to write an enhancement request in our bugzilla?