Le 20/06/2019 à 11:59, @lbutlr via dovecot a écrit :
On 20 Jun 2019, at 02:53, FUSTE Emmanuel via dovecot dovecot@dovecot.org wrote:
There is plenty of context where TLS is not possible/desirable. I’d say that is terrible advice. There are no reasonable contexts where is it is acceptable to send mail credentials without encryption. My users have had to use STARTTLS for submission for many many years. Insecure connections from users are not an option. Please, don't make me say what I did not say. I use the word "context". I did not talk about "sending mail credentials" no more I talk about Internet. And even with that, don't restrict the world as your use case .The world is not Internet only too. And SASL and by extend the CRAM-MD5 mech is not used only in email scenario/protocols.
Even in email scenario, I have to deal with equipments (scanner/copiers) not able to do TLS or not able to deal with a private CA and insisting to verify the SMTP server Cert to send email, or with broken or outdated SSL implementation etc ... They support CRAM-MD5. It is still better than clear text. I have more than 4000 of such class of equipments behind my servers each having their problems, bugs, limitations.... Yes in 2019 ... I even don't talk you about the thousands of proprietary, outdated, customs, buggy (and combine all as you want) applications that I have to deal with....
Emmanuel.