[Dovecot] Secure authentication?

Bjørn T Johansen btj at havleik.no
Sun Nov 11 14:13:21 EET 2007


On Sun, 11 Nov 2007 22:28:52 +1100
Peter Fern <dovecot at obfusc8.org> wrote:

> Bjørn T Johansen wrote:
> > I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get
> > an error from dovecot telling me that this is not supported..
> >
> > Is this because dovecot does not support this or am I missing some config?
> >   
> 
> SSL and secure passwords are different things - if you've enabled SSL on 
> the client, secure passwords are redundant really - the whole connection 
> is encrypted.  Secure password authentication is only supported by 
> dovecot when your backend password store is in unencrypted plain text - 
> the client hashes the password, which is compared to a hash generated by 
> the server.  If memory serves, SPA is based on NTLM, hence the 
> requirement for plaintext in the backend for generation of the hash, 
> though I suppose if you were storing NTLM hashes it could be made to 
> work.  Personally, I prefer to have the passwords securely encrypted in 
> the backend though, and so rely on SSL for securing the connection, 
> disregarding SPA entirely.


Yes, thanks for all the replies.... It was all a misunderstanding on my part about what secure authentication
really was but SSL is up and working anyway.... :)


BTJ


More information about the dovecot mailing list