Thanks
-----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@dovecot.fi] Sent: Friday, 1 September 2017 2:15 AM To: dovecot@dovecot.org; Raymond Sellars Subject: Re: Mixed Autehtnication and password schemes
The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
[Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes.
Problem #2 How do I enforce some kind of account access policy
As a worse case does Dovecot implement any type of account access policies? Out IT security reviewers are hot on account policies, i.e. lockouts, expiries, and back off attempts.
You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements.
other than that, dovecot will deter brute force on it's own to some degree.
[Raymond] Thanks, i'll need to upgrade but this definitely addresses the requirement.
Thanks Raymond Solution Architect - Orion Health
Aki Tuomi Dovecot oy