question about using cram-md5 login passwords
Fabian A. Santiago
fsantiago at garbage-juice.com
Mon Apr 23 17:19:47 EEST 2018
On April 23, 2018 9:45:22 AM EDT, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>> On 23 April 2018 at 16:14 "Fabian A. Santiago"
><fsantiago at garbage-juice.com> wrote:
>>
>>
>> hello dovecot community,
>>
>> question; if my user database and dovecot installation is currently
>setup to use plain login passwords, and i want to convert to cram-md5,
>after i configure dovecot accordingly and reset passwords into
>cram-md5, if anyone uses plain login method again in the future, will
>it still work? or must they always from this point on use encrypted
>passwords? Thanks.
>
>Do not use CRAM-MD5/DIGEST-MD5 mechanisms if you are using SSL/TLS
>connection. PLAIN/LOGIN is usually sufficiently secure over encrypted
>transport, and STARTTLS is required over plaintext port too.
>
>In general, CRAM-MD5 is designed to authenticate over insecure
>transport.
>
>Aki
>
>>
>> --
>>
>> Thanks,
>>
>> Fabian S.
>>
>> OpenPGP:
>>
>> 0x643082042DC83E6D94B86C405E3DAA18A1C22D8F (new key)
>> 0x3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC (to be retired / revoked)
Ok I am using tls and have always been doing so. So I'll leave it alone then. Thanks for your thoughts.
--
Fabian A. Santiago
OpenPGP:
0x643082042dc83e6d94b86c405e3daa18a1c22d8f (current key)
0x3c3fa072accb7ac5db0f723455502b0eeb9070fc (to be retired / revoked)
More information about the dovecot
mailing list