MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
Reindl Harald
h.reindl at thelounge.net
Sat Dec 6 12:10:58 UTC 2014
Am 06.12.2014 um 06:56 schrieb Jan Wideł:
> If you add disable_plaintext_auth=yes ssl=required settings, then
> dovecot will drop authentication without STARTTLS. But damage will be
> done, client will send unencrypted (or in this scenario MD5 or SHA512
> hash) login/password
no, damage will *not* be done
STARTTLS happens in context of connect and *log before* any
authentication is tried the handshake between client/server fails
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141206/e02c3ae5/attachment.sig>
More information about the dovecot
mailing list