On 12/06/2014 02:35 AM, Nick Edwards wrote:
On 12/5/14, ML mail mlnospam@yahoo.com wrote:
Hello,
I am wondering which variant is more secure for user authentication and password scheme. Basically I am looking at both variants:
- MD5-CRYPT password scheme storage with CRAM-MD5 auth mechanism
- SHA512-CRYPT password scheme storage with PLAIN auth mechanism
In my opinion the option 2) should be safer although it is using PLAIN auth mechanism. Of course I would always use STARTTLS and not allow unencrypted connection.
Thats not exactly a true statement, if you offer STARTTLS you are optional on encryption, if you mean not allow unencrypted connections then you are forcing TLS, not STARTTLS since the latter is designed to accept unencrypted and then _try_ upgrade to encryption if possible, if not, stay unencrypted.
If you add disable_plaintext_auth=yes ssl=required settings, then dovecot will drop authentication without STARTTLS. But damage will be done, client will send unencrypted (or in this scenario MD5 or SHA512 hash) login/password. http://wiki2.dovecot.org/SSL
What is your opinion?
Number 2 as the other poster said without hesitation and for reasons he said +1
-- Jan Wideł Senior System Administrator e-mail: jan.widel@networkers.pl mobile: +48 797 004 946 www: http://www.networkers.pl GPG: http://networkers.pl/GPG/2E7359CD.asc