Mixed Autehtnication and password schemes
Raymond Sellars
Raymond.Sellars at orionhealth.com
Fri Sep 1 02:44:57 EEST 2017
Thanks
-----Original Message-----
From: Aki Tuomi [mailto:aki.tuomi at dovecot.fi]
Sent: Friday, 1 September 2017 2:15 AM
To: dovecot at dovecot.org; Raymond Sellars
Subject: Re: Mixed Autehtnication and password schemes
> The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
>
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
[Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes.
> Problem #2 How do I enforce some kind of account access policy
>
> As a worse case does Dovecot implement any type of account access policies? Out IT security reviewers are hot on account policies, i.e. lockouts, expiries, and back off attempts.
>
You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements.
other than that, dovecot will deter brute force on it's own to some degree.
[Raymond] Thanks, i'll need to upgrade but this definitely addresses the requirement.
> Thanks
> Raymond
> Solution Architect - Orion Health
Aki Tuomi
Dovecot oy
More information about the dovecot
mailing list