Mixed Autehtnication and password schemes

Raymond Sellars Raymond.Sellars at orionhealth.com
Mon Sep 4 01:07:12 EEST 2017


Hi

No master password isn't required for certification. That more an internal technical design for our Webmail application.

My fall back design is to employ two different dovecot proxies but I suspect I run the risk of mailbox corruption as the director nodes won't be shared.

> It's not really necessary with SSL.

This is a good point I'd forgotten to consider. It would allow me to mix master + PLAIN and then isolated DIGEST-MD5 maybe in a different proxy. The practical world vs the theory.

Thanks
Raymond
-----Original Message-----
From: Aki Tuomi [mailto:aki.tuomi at dovecot.fi] 
Sent: Friday, 1 September 2017 11:32 PM
To: dovecot at dovecot.org; Raymond Sellars
Subject: RE: Mixed Autehtnication and password schemes

> 
> -----Original Message-----
> From: Aki Tuomi [mailto:aki.tuomi at dovecot.fi] 
> Sent: Friday, 1 September 2017 2:15 AM
> To: dovecot at dovecot.org; Raymond Sellars
> Subject: Re: Mixed Autehtnication and password schemes
> 
> 
> > The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
> > 
> 
> Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
> 
> [Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes. 
> 

My condolences. Do they really require it for *master password* too, which makes little sense?

Aki


More information about the dovecot mailing list