MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN

Jan Wideł jan.widel at networkers.pl
Sat Dec 6 14:57:53 UTC 2014


W dniu 2014-12-06 13:10, Reindl Harald napisał(a):
> Am 06.12.2014 um 06:56 schrieb Jan Wideł:
>> If you add disable_plaintext_auth=yes ssl=required settings, then
>> dovecot will drop authentication without STARTTLS. But damage will be
>> done, client will send unencrypted (or in this scenario MD5 or SHA512
>> hash) login/password
> 
> no, damage will *not* be done
> 
> STARTTLS happens in context of connect and *log before* any
> authentication is tried the handshake between client/server fails

Yes, of course you are right. I meant that client is misconfigured by 
forced not to use TLS.

-- 
Jan Wideł
Senior System Administrator
e-mail: jan.widel at networkers.pl
mobile: +48 797 004 946
www: http://www.networkers.pl
GPG: http://networkers.pl/GPG/2E7359CD.asc


More information about the dovecot mailing list