On 6/25/07, John Peacock jpeacock@rowman.com wrote:
Ben Schumacher wrote:
I would like to see this, too. After digging through the code some, it seems that the major sticking point is that dovecot would prefer to do the CRAM-MD5 internally and therefore expects to have access to the password in plaintext and doesn't pass the timestamp on to checkpassword...
There is no way to use CRAM-MD5 without having the password stored in plaintext locally; it is a design "feature" since the hash is calculated using a different server key every time.
The problem is not that the passwords aren't stored locally in plaintext, it's that the mechanism for providing that information to dovecot is not there with checkpassword authentication. checkpassword expects to receive the 3 pieces of information it needs to perform this style of authentication -- username, hash and timestamp (or a "challenge string" -- which is generally a timestamp). This somewhat conflicts with dovecot's authentication system, which expects to have all the necessary authentication information internally and is not design (not willing?) to trust a checkpassword-style authentication mechanism to peform CRAM-MD5 authentication and therefore only offers PLAIN as an option to clients.
Likely this change would require some tweaks to configuration as it would mean that dovecot would need to be configured to know which authentication mechanism the checkpassword system offered, but I still think it'd be a better situation than to simply not be able to use CRAM-MD5 if checkpassword is enabled.
Cheers, Ben