Tip: update dovecot MD5 password from PAM
Alexander Dalloz
ad+lists at uni-x.org
Sun Mar 26 20:33:11 EEST 2017
Am 26.03.2017 um 19:22 schrieb Steinar Bang:
> I worry less about the security of a password stored in a local file
> compared to the security of transferring the same password in cleartext
> over the wire, SSL or not.
A TLS secured communication ensures that authentication credentials
aren't transmitted in plaintext, even if the SASL mechanism is PLAIN. So
ensure that the certificates are validated and secure ciphers are used
and you are on the safe side.
Why would you discredit TLS/SSL? That's not rational.
Basically it is bad practice to store credentials in plaintext on a
server. Thus shared secret mechanism like CRAM-MD5 are not really a good
choice.
Alexander
More information about the dovecot
mailing list