On March 26, 2017 at 2:24 PM Steinar Bang sb@dod.no wrote:
Aki Tuomi aki.tuomi@dovecot.fi:
On 2017-03-25 17:54, Steinar Bang wrote:
This is a PAM module that listens for password changes, and will update the MD5 password for a user, in a file that dovecot can read, when the user's password is changed: https://github.com/steinarb/pam_dovecotmd5pwd
Caveat emptor! (Works for me...! :-) )
Maybe you could update the PAM module to upgrade user's passwords to something safer than MD5? Like SSHA515 or CRYPT-SHA512? =)
Is it possible to do CRAM[1] with any of these encryption methods? And, if so: are these encryption methods widely supported by clients?
The essential part for me was to have something widely supported by clients, where the password isn't transferred over the wire as part of the authentication
The last time I looked cram-md5 was the only candidate for not transferring the password in cleartext during authentication (and with dovecot cram-md5 requires a special passwd file, which is why I wrote this pam module in the first place).
References: [1] https://en.wikipedia.org/wiki/Challenge–response_authentication
Is there some reason you cannot protect your users with TLS/SSL? Using CRAM-MD5 is not very secure option, since you have to store the password in clear text. Plain MD5 is almost plaintext these days.
Aki