[Dovecot] Secure authentication?
Bjørn T Johansen
btj at havleik.no
Sun Nov 11 14:13:21 EET 2007
On Sun, 11 Nov 2007 22:28:52 +1100
Peter Fern <dovecot at obfusc8.org> wrote:
> Bjørn T Johansen wrote:
> > I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get
> > an error from dovecot telling me that this is not supported..
> >
> > Is this because dovecot does not support this or am I missing some config?
> >
>
> SSL and secure passwords are different things - if you've enabled SSL on
> the client, secure passwords are redundant really - the whole connection
> is encrypted. Secure password authentication is only supported by
> dovecot when your backend password store is in unencrypted plain text -
> the client hashes the password, which is compared to a hash generated by
> the server. If memory serves, SPA is based on NTLM, hence the
> requirement for plaintext in the backend for generation of the hash,
> though I suppose if you were storing NTLM hashes it could be made to
> work. Personally, I prefer to have the passwords securely encrypted in
> the backend though, and so rely on SSL for securing the connection,
> disregarding SPA entirely.
Yes, thanks for all the replies.... It was all a misunderstanding on my part about what secure authentication
really was but SSL is up and working anyway.... :)
BTJ
More information about the dovecot
mailing list