GDPR applies to companies operating software, not the software itself.

As Aki pointed out (somewhere) in this thread, Dovecot doesn't store passwords itself, and doesn't work unless an admin proactively configures at least one authentication mechanism, so it is "secure by default" under any definition I'm aware of.

We might be open to a (short) MR on some language to add to the base authentication configuration page that would alert an admin to possible GDPR requirements. But the Dovecot configuration site is maintained to describe how the software works, not educate on what you might or might not need to do to operate a public mail platform, so the scope of such MR would need to be exceedingly narrow.

michael

On 02/12/2025 9:16 AM MST infoomatic via dovecot <dovecot@dovecot.org> wrote:

On 12.02.25 01:25, Steven Varco via dovecot wrote:

...

So, after my mandatory rant :D, the DEFAULT setup of dovecot should actually be as simple as possible.

I fully second that. There is no need to discuss whether dovecots default password storage complies to GDPR or not. The administrator or the liable person of a company is responsible for taking care about it, just as Steven Varco mentioned, the same goes with web servers or any publicly available service. The important point is: you can configure dovecot complying to the GDPR.

Because what's next - argue that a web framework is not GDPR compliant in its standard configuration because there is no cookie consent popup by default? This is ridiculous.

Regards, Robert

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org