[Dovecot] Secure authentication?

Peter Fern dovecot at obfusc8.org
Sun Nov 11 13:28:52 EET 2007


Bjørn T Johansen wrote:
> I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an
> error from dovecot telling me that this is not supported..
>
> Is this because dovecot does not support this or am I missing some config?
>   

SSL and secure passwords are different things - if you've enabled SSL on 
the client, secure passwords are redundant really - the whole connection 
is encrypted.  Secure password authentication is only supported by 
dovecot when your backend password store is in unencrypted plain text - 
the client hashes the password, which is compared to a hash generated by 
the server.  If memory serves, SPA is based on NTLM, hence the 
requirement for plaintext in the backend for generation of the hash, 
though I suppose if you were storing NTLM hashes it could be made to 
work.  Personally, I prefer to have the passwords securely encrypted in 
the backend though, and so rely on SSL for securing the connection, 
disregarding SPA entirely.


More information about the dovecot mailing list