[Dovecot] (no subject)

Phillip Needham phillip at ibright.net
Fri Sep 2 07:24:52 EEST 2005


pam_ldap does not support simple bind either. only saslauthd and
courier-imap seem to. and the web applications I write...

I think simple bind is a better way to do it, as long as you trust the
server and are using TLS or SSL. It requires less code, it more portable,
and doesn't become obsolete when a new password hash is invented. It
offloads the task of hashing passwords completely to the server. That is
how I have always done web applications.

I could be wrong; I would love for someone to explain  to me why its
better to leave the password hash available for reading (and cracking),
then to attempt the relatively complex task of a) determining which hash
algorithm has encrypted the password and b) implementing that algorithm in
every program you write in order to verify passwords and c) re-writing
every program when you change the hash scheme.


Phillip Needham


> On Thu, 1 Sep 2005, Phillip Needham wrote:
>
>> I am trying to get away from courier imap because it is flaky the way it
>> uses FAM (or gamin in my case), and the developers seem to have a chip
>> on
>> their collective shoulder, and it is too complex. I found dovecot
>> because
>> it is ships with CentOS 4 (ie Red Hat Enterprise 4). It looks like just
>> what I need: simple, fast. But I can't use it! I can't authenticate. If
>> any of these statements were untrue, I would use it happily:
>>
>> o it doesn't support simple bind authentication against LDAP
>> o I don't want to make passwords readable, and this version (0.99.14)
>> doesn't support SSHA anyway
>> o it won't talk to the saslauthd I already have configured
>> o I can't find how to implement a new auth module for dovecot
>
> Just use PAM.
>
> --
> Ignacio Vazquez-Abrams
>



More information about the dovecot mailing list