question about using cram-md5 login passwords
Aki Tuomi
aki.tuomi at dovecot.fi
Mon Apr 23 16:45:22 EEST 2018
> On 23 April 2018 at 16:14 "Fabian A. Santiago" <fsantiago at garbage-juice.com> wrote:
>
>
> hello dovecot community,
>
> question; if my user database and dovecot installation is currently setup to use plain login passwords, and i want to convert to cram-md5, after i configure dovecot accordingly and reset passwords into cram-md5, if anyone uses plain login method again in the future, will it still work? or must they always from this point on use encrypted passwords? Thanks.
Do not use CRAM-MD5/DIGEST-MD5 mechanisms if you are using SSL/TLS connection. PLAIN/LOGIN is usually sufficiently secure over encrypted transport, and STARTTLS is required over plaintext port too.
In general, CRAM-MD5 is designed to authenticate over insecure transport.
Aki
>
> --
>
> Thanks,
>
> Fabian S.
>
> OpenPGP:
>
> 0x643082042DC83E6D94B86C405E3DAA18A1C22D8F (new key)
> 0x3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC (to be retired / revoked)
More information about the dovecot
mailing list