I am not sure how we should actually implement this. Do you mean that we should require that you always provide a password scheme for credentials, or require explicit {PLAIN} prefix or what? Everything costs something and has unexpected side-effects, like breaking everyone's master password authentication, in this case.
But other than that, Dovecot *does not* store passwords. Anywhere. It reads passwords from SQL database, passwd files etc. which are externally managed, not Dovecot managed. So I don't understand what "default" means here and what would be "a GDPR compliant default" for you?
Aki
On 10/02/2025 14:57 EET Robert Nowotny via dovecot <dovecot@dovecot.org> wrote:
Thumbs up for that. It costs nothing and adds value. Cant see any downsides (which might exist, aki might elaborate). Bitranox
*Von:* Rupert Gallagher via dovecot <dovecot@dovecot.org>
*Gesendet:* Montag, 10. Februar 2025 um 13:51 MEZ
*An:* aki.tuomi@open-xchange.com <aki.tuomi@open-xchange.com>
*Kopie:* dovecot <dovecot@dovecot.org>
*Betreff:* RE: Dovecot's default password storage scheme is not GDPR compliant
I do, Aki.
This is not the point, however.
The point is that the default is not GDPR compliant, and a first easy alternative is also not GDPR compliant, and decoupling the user scheme from the server storage scheme is not at all obvious. Adopting a GDPR-compliant default would send out the information that the project cares about legal compliance, and a solution is supported by default.
-------- Original Message -------- On 2/10/25 11:39, Aki Tuomi<aki.tuomi@open-xchange.com> wrote:
On 10/02/2025 12:23 EET Rupert Gallagher via dovecot<dovecot@dovecot.org> wrote:
Dovecot aligns the password encryption scheme used by the imap client with the password storage scheme used by the server.
Since the default is set to plain text, the client sends the password in plain text (tls tunneled), and the server local storage of passwords is a plain text file.
For minimum protection, just enough to say you are not using plaintext, you can use md5, so the client sends the hashed password and the server's local storage is a plain text file containing hashed passwords.
Last year a GDPR commissioner filed a hefty monetary sanction to a company because they used md5 to store passwords.
Therefore, Dovecot's plain text default, and the md5 option, are both non-GDPR compliant.
To avoid monetary sanctions, Dovecot ought to change how it stores passwords by default.
Please do not ignore this message.
You do understand that it's the admin's responsiblity to choose a safe password storage, not ours?
Aki
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org