[Dovecot] Secure authentication?
Peter Fern
dovecot at obfusc8.org
Sun Nov 11 13:28:52 EET 2007
Bjørn T Johansen wrote:
> I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an
> error from dovecot telling me that this is not supported..
>
> Is this because dovecot does not support this or am I missing some config?
>
SSL and secure passwords are different things - if you've enabled SSL on
the client, secure passwords are redundant really - the whole connection
is encrypted. Secure password authentication is only supported by
dovecot when your backend password store is in unencrypted plain text -
the client hashes the password, which is compared to a hash generated by
the server. If memory serves, SPA is based on NTLM, hence the
requirement for plaintext in the backend for generation of the hash,
though I suppose if you were storing NTLM hashes it could be made to
work. Personally, I prefer to have the passwords securely encrypted in
the backend though, and so rely on SSL for securing the connection,
disregarding SPA entirely.
More information about the dovecot
mailing list