Hello,
I am exploring the posibility of migrating an exsisting setup to postfix+dovecot. The issue being that many clients are currently configured for cram-md5 authentication. I am fully aware that this is a really, really, really bad idea, but re configuring all clients at once is not feasible with limited end user support resources. I have a setup running with LUA for the passdb, and everything works with PLAIN login.
To keep compatibility with the PLAIN login mechanism i have tried to store {PLAIN} passwords in the DB, since proper secure password storage is incompatible with CRAM-MD5.
My issue is that the LUA function auth_password_verify(req, pass) not even seems to be called for cram-md5 logins. Reading through the documentation also seems to indicate that the callenge is not passed to the LUA function making it impossible to compute the hash in LUA or the function req.password_verify(req, row.password, pass).
Is my assumption correct that cram-md5 can not work with a LUA script ?
Kind regards, Peter K.