Help on CRAM-MD5

Aki Tuomi aki.tuomi at open-xchange.com
Wed Jun 19 09:30:34 EEST 2019


On 19.6.2019 7.48, Alexander Dalloz via dovecot wrote:
> Am 19.06.2019 um 00:04 schrieb Jorge Bastos via dovecot:
>> Howdy,
>>
>> I'm using dovecot and mysql users, and i'm creating the password with:
>>
>> ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
>>
>> So far so good, everything's fine.
>> Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at
>> least)
>> IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't
>> authenticate.
>> What am i doing wrong, or that can be done so that all types work (SASL
>> PLAIN LOGIN + CRAM-MD5)?
>>
>> Thanks in advanced,
>>
>
> For shared secret mechanisms like CRAM-MD5 to work the password must
> be stored in plaintext AFAIK. That's a good reason not to offer that.
>
> Alexander
>

CRAM-MD5 can also be stored as stage 1 MD5 hashed blob. Only marginally
better than plaintext. But as pointed out, CRAM-MD5, DIGEST-MD5 cannot
work with crypted passwords. If you want to use "secure passwords",
SCRAM-SHA1 is an option, but probably best is to disable other than
'PLAIN' and 'LOGIN' mech unless you know what you are doing.


Aki



More information about the dovecot mailing list