MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN

Reindl Harald h.reindl at thelounge.net
Sat Dec 6 12:10:58 UTC 2014


Am 06.12.2014 um 06:56 schrieb Jan Wideł:
> If you add disable_plaintext_auth=yes ssl=required settings, then
> dovecot will drop authentication without STARTTLS. But damage will be
> done, client will send unencrypted (or in this scenario MD5 or SHA512
> hash) login/password

no, damage will *not* be done

STARTTLS happens in context of connect and *log before* any 
authentication is tried the handshake between client/server fails

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141206/e02c3ae5/attachment.sig>


More information about the dovecot mailing list