[Dovecot] Looking for a good way to manage passwords for CRAM-MD5

[Benny Pedersen]

Professa Dementia skrev den 2013-05-12 14:40:
> On 5/12/2013 4:17 AM, Steinar Bang wrote:
>> I prefer not to use clear text passwords, even over an encrypted
>> connection.
>
> Why?  Enforce the encrypted link by not allowing unencrypted
> connections.  The simplest is iptables to block ports 110 and 143, 
> while
> allowing 993 and 995.

why not disable 110, 143 in dovecot ?, its waste leas in firewalls to 
not provide service on blocked ips :)

> As long as the underlying SSL/TLS connection utilizes strong 
> mechanisms,
> everything in the connection is secure, including passwords.

plain passwords have no problem in treverse in ssl/tls, but it might 
still be possible to store unencrypted cookies on webmail, so this 
question is still valid, but this is not a dovecot problem to resolve 
more like to remove so bad writed webmail client first

> CRAM adds
> complexity, without adding security if the connection is already 
> secure.

yes, avoid pam auth, use unix auth if its unix mailboxes, and setup eg 
postfixadmin for virtual users, follow readme in there and it mostly 
done with all possible powers of dovecot / postfix, (postfixadmin does 
not really need postfix but an sql mta that can make the same querys in 
sql)

> Just make sure that you have something like fail2ban to block or slow
> down dictionary and brute force attacks and make sure you use strong
> passwords.

seen in ssl/tls ports ?

-- 
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it