[Dovecot] Looking for a good way to manage passwords for CRAM-MD5

Noel noeldude at gmail.com
Tue May 14 22:44:42 EEST 2013


On 5/14/2013 12:39 PM, /dev/rob0 wrote:
> On Sun, May 12, 2013 at 05:40:10AM -0700, Professa Dementia wrote:
>> On 5/12/2013 4:17 AM, Steinar Bang wrote:
>>> I prefer not to use clear text passwords, even over an encrypted
>>> connection.
>> Why?  Enforce the encrypted link by not allowing unencrypted
>> connections.  The simplest is iptables to block ports 110 and 143,
>> while allowing 993 and 995.
> I don't understand this advice. Why would someone who is apparently 
> interested in heightened transport security restrict himself to the 
> older generation SSL v.2, which was long ago superceded by TLS v.1?

Forcing the connection to 993/995 does not imply SSLv2.  TLSv1.[012]
is still negotiated.  There is no decrease in security.

> http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0
> http://wiki2.dovecot.org/SSL
>
> Quoting from the latter page:
>
> "Some admins want to require SSL/TLS, but don't realize that this is 
> also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes 
> and ssl=required settings)."

It's not unreasonable to disable the plaintext ports to minimize the
possibility of a fat-fingered accident.



  -- Noel Jones


More information about the dovecot mailing list