Aki Tuomi aki.tuomi@dovecot.fi:
Is there some reason you cannot protect your users with TLS/SSL?
I do use SSL. I don't understand what that have to do with the preference of CRAM-MD5 over plain text auth?
Using CRAM-MD5 is not very secure option, since you have to store the password in clear text. Plain MD5 is almost plaintext these days.
I worry less about the security of a password stored in a local file compared to the security of transferring the same password in cleartext over the wire, SSL or not.
As for alternatives, google found me SCRAM-SHA-1[1] which is supported by dovecot[2], but google couldn't find me any imap clients supporting it.
Kerberos (also listed among the alternatives) would have been really neat, unfortunately private networks and NATing breaks things for Kerberos... maybe IPv6 will revitalize Kerberos...? One can hope.
References: [1] https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mecha... [2] http://wiki2.dovecot.org/Authentication/Mechanisms#Non-plaintext_authenticat...