Professa Dementia skrev den 2013-05-12 14:40:
On 5/12/2013 4:17 AM, Steinar Bang wrote:
I prefer not to use clear text passwords, even over an encrypted connection.
Why? Enforce the encrypted link by not allowing unencrypted connections. The simplest is iptables to block ports 110 and 143, while allowing 993 and 995.
why not disable 110, 143 in dovecot ?, its waste leas in firewalls to not provide service on blocked ips :)
As long as the underlying SSL/TLS connection utilizes strong mechanisms, everything in the connection is secure, including passwords.
plain passwords have no problem in treverse in ssl/tls, but it might still be possible to store unencrypted cookies on webmail, so this question is still valid, but this is not a dovecot problem to resolve more like to remove so bad writed webmail client first
CRAM adds complexity, without adding security if the connection is already secure.
yes, avoid pam auth, use unix auth if its unix mailboxes, and setup eg postfixadmin for virtual users, follow readme in there and it mostly done with all possible powers of dovecot / postfix, (postfixadmin does not really need postfix but an sql mta that can make the same querys in sql)
Just make sure that you have something like fail2ban to block or slow down dictionary and brute force attacks and make sure you use strong passwords.
seen in ssl/tls ports ?
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it