From the variety of available email clients, I found Claws Mail to be my favorite (maybe
'cause after 6 years of Linux, I still haven't found the time to
configure mutt...). Anyway, in today's posting I will not praise
the advantages of Claws Mail, but rant a little about one of its
"security" features. Like most programs, Claws Mail stores its
configuration in a separate directory in the user's home folder.
This folder contains, among other things, all account information.
Since Claws Mail doesn't offer any kind of password manger or
"master password" one would think, that the passwords for the mail
accounts are stored in plain text. However, the accountrc
file contains base64-encoded strings of DES-encrypted passwords. At
this point, one should wonder how the program can encrypt the
passwords without asking the user for a password. The solution is
simple - the password is hardcoded into the binary. With this
knowledge it's obvious that this approach is a clear case of
security
through obscurity. Given the accountrc file and the binary
everyone can easily decrypt the passwords, i.e. with this
standalone C program.
If you're asking for more security than restrictive file
permissions for your home folder can provide, you still got several
options. Patch Claws Mail's sourcecode in order to use a real
password safe for the storage of the passwords, use file encryption
(either for your complete home folder, or just for ~/.claws-mail,
e.g. with
encfs), or switch to another email client.