I do, Aki.
This is not the point, however.
The point is that the default is not GDPR compliant, and a first easy alternative is also not GDPR compliant, and decoupling the user scheme from the server storage scheme is not at all obvious. Adopting a GDPR-compliant default would send out the information that the project cares about legal compliance, and a solution is supported by default.
-------- Original Message -------- On 2/10/25 11:39, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 10/02/2025 12:23 EET Rupert Gallagher via dovecot <dovecot@dovecot.org> wrote:
Dovecot aligns the password encryption scheme used by the imap client with the password storage scheme used by the server.
Since the default is set to plain text, the client sends the password in plain text (tls tunneled), and the server local storage of passwords is a plain text file.
For minimum protection, just enough to say you are not using plaintext, you can use md5, so the client sends the hashed password and the server's local storage is a plain text file containing hashed passwords.
Last year a GDPR commissioner filed a hefty monetary sanction to a company because they used md5 to store passwords.
Therefore, Dovecot's plain text default, and the md5 option, are both non-GDPR compliant.
To avoid monetary sanctions, Dovecot ought to change how it stores passwords by default.
Please do not ignore this message.
You do understand that it's the admin's responsiblity to choose a safe password storage, not ours?
Aki