[Dovecot] Looking for a good way to manage passwords for CRAM-MD5

Tue May 14 22:55:23 EEST 2013

On Tue, 14 May 2013 12:39:34 -0500
/dev/rob0 <rob0 at gmx.co.uk> wrote:

> On Sun, May 12, 2013 at 05:40:10AM -0700, Professa Dementia wrote:
> > On 5/12/2013 4:17 AM, Steinar Bang wrote:
> > > I prefer not to use clear text passwords, even over an encrypted
> > > connection.
> > 
> > Why?  Enforce the encrypted link by not allowing unencrypted
> > connections.  The simplest is iptables to block ports 110 and 143,
> > while allowing 993 and 995.
> 
> I don't understand this advice. Why would someone who is apparently 
> interested in heightened transport security restrict himself to the 
> older generation SSL v.2, which was long ago superceded by TLS v.1?
> 
> http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0
> http://wiki2.dovecot.org/SSL
> 
> Quoting from the latter page:
> 
> "Some admins want to require SSL/TLS, but don't realize that this is 
> also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes 
> and ssl=required settings)."

SSL vs STARTTLS in this context has nothing to do with SSL/TLS
versions (and available ciphers).

The thing is that SSL and STARTTLS in this context represent different
mechanisms by which you can initiate an SSL/TLS handshake. The "SSL
method" means you connect to port 993 and start a handshake
immediately (similar to HTTPS).

The "STARTTLS method" means you're connecting through port 143, using
plain-text communications at first, until you send a STARTTLS command
to server. When a STARTTLS has been issued, both client and server
proceed with an SSL/TLS handshake the same way as if the client had
connected to port 993.

It's unfortunately poor selection of terminology, but everyone is using
it, therefore introducing a bit of confusion with people that are into
PKI that much :)

In effect, in both cases (if the software is built and configured
correctly) you'll be using TLSv1.0 or higher.

The thing is that if you connect to port 993, and Dovecot is configured
to use SSL there straight away, if the client starts sending IMAP
commands in plain-text, the server will cut connection due to invalid
SSL/TLS handshake.

When using plain-text port 143, the client may attempt to send out
username/password even though the server requires TLS (well, the
client shouldn't do this, since server should signal the client what
are its capabilities, but you never know how bad the client
implementation is).

I hope this description helps a bit :)

Best regards

P.S.
I think there's even been one discussion regarding this relatively
recently on Dovecot mailing lists.

-- 
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130514/767ddd6d/attachment-0001.bin>