Tip: update dovecot MD5 password from PAM

Steinar Bang sb at dod.no
Sun Mar 26 20:22:35 EEST 2017


>>>>> Aki Tuomi <aki.tuomi at dovecot.fi>:

> Is there some reason you cannot protect your users with TLS/SSL?

I do use SSL.  I don't understand what that have to do with the
preference of CRAM-MD5 over plain text auth?

> Using CRAM-MD5 is not very secure option, since you have to store the
> password in clear text. Plain MD5 is almost plaintext these days.

I worry less about the security of a password stored in a local file
compared to the security of transferring the same password in cleartext
over the wire, SSL or not.

As for alternatives, google found me SCRAM-SHA-1[1] which is supported
by dovecot[2], but google couldn't find me any imap clients supporting
it.

Kerberos (also listed among the alternatives) would have been really
neat, unfortunately private networks and NATing breaks things for
Kerberos... maybe IPv6 will revitalize Kerberos...?  One can hope.


References:
 [1] <https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism>
 [2] <http://wiki2.dovecot.org/Authentication/Mechanisms#Non-plaintext_authentication>



More information about the dovecot mailing list