Help on CRAM-MD5
FUSTE Emmanuel
emmanuel.fuste at thalesgroup.com
Thu Jun 20 11:53:22 EEST 2019
Hello,
The world is not black or white.
Yes CRAM-MD5 is old and his successor SCRAM-XXXXXX is not widely
available/implemented which is sad.
For your need, use TLS and forget about it.
Thunderbird is conservative. If you don't configure TLS or TLS is not
available, it try to use something that not expose the password.
There is plenty of context where TLS is not possible/desirable.
And without client certificate, mutual strong authentication is not
available, but could be with TLS+SCRAM.
There is plenty of room for SASL mech other than PLAIN/LOGIN.
It just not fit your actual needs. Just be sure to not allow PLAIN/LOGIN
in clear.
Emmanuel.
Le 19/06/2019 à 18:58, Jorge Bastos via dovecot a écrit :
> Howdy,
>
> Answering all, so cram-md5 is old, don't want then!
> I only noticed thunderbird as default using this, so, won't implement it!
>
> Thanks for the clarify,
>
> -----Original Message-----
> From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of Aki Tuomi via dovecot
> Sent: 19 de junho de 2019 07:31
> To: Alexander Dalloz <ad+lists at uni-x.org>; dovecot at dovecot.org
> Subject: Re: Help on CRAM-MD5
>
>
> On 19.6.2019 7.48, Alexander Dalloz via dovecot wrote:
>> Am 19.06.2019 um 00:04 schrieb Jorge Bastos via dovecot:
>>> Howdy,
>>>
>>> I'm using dovecot and mysql users, and i'm creating the password with:
>>>
>>> ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
>>>
>>> So far so good, everything's fine.
>>> Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at
>>> least)
>>> IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't
>>> authenticate.
>>> What am i doing wrong, or that can be done so that all types work
>>> (SASL PLAIN LOGIN + CRAM-MD5)?
>>>
>>> Thanks in advanced,
>>>
>> For shared secret mechanisms like CRAM-MD5 to work the password must
>> be stored in plaintext AFAIK. That's a good reason not to offer that.
>>
>> Alexander
>>
> CRAM-MD5 can also be stored as stage 1 MD5 hashed blob. Only marginally better than plaintext. But as pointed out, CRAM-MD5, DIGEST-MD5 cannot work with crypted passwords. If you want to use "secure passwords",
> SCRAM-SHA1 is an option, but probably best is to disable other than 'PLAIN' and 'LOGIN' mech unless you know what you are doing.
>
>
> Aki
>
>
More information about the dovecot
mailing list