6 Dec
2014
6 Dec
'14
4:57 p.m.
W dniu 2014-12-06 13:10, Reindl Harald napisał(a):
Am 06.12.2014 um 06:56 schrieb Jan Wideł:
If you add disable_plaintext_auth=yes ssl=required settings, then dovecot will drop authentication without STARTTLS. But damage will be done, client will send unencrypted (or in this scenario MD5 or SHA512 hash) login/password
no, damage will *not* be done
STARTTLS happens in context of connect and *log before* any authentication is tried the handshake between client/server fails
Yes, of course you are right. I meant that client is misconfigured by forced not to use TLS.
-- Jan Wideł Senior System Administrator e-mail: jan.widel@networkers.pl mobile: +48 797 004 946 www: http://www.networkers.pl GPG: http://networkers.pl/GPG/2E7359CD.asc