Help on CRAM-MD5
FUSTE Emmanuel
emmanuel.fuste at thalesgroup.com
Thu Jun 20 13:28:54 EEST 2019
Le 20/06/2019 à 11:59, @lbutlr via dovecot a écrit :
> On 20 Jun 2019, at 02:53, FUSTE Emmanuel via dovecot <dovecot at dovecot.org> wrote:
>> There is plenty of context where TLS is not possible/desirable.
> I’d say that is terrible advice. There are no reasonable contexts where is it is acceptable to send mail credentials without encryption. My users have had to use STARTTLS for submission for many many years. Insecure connections from users are not an option.
Please, don't make me say what I did not say.
I use the word "context". I did not talk about "sending mail
credentials" no more I talk about Internet.
And even with that, don't restrict the world as your use case .The world
is not Internet only too.
And SASL and by extend the CRAM-MD5 mech is not used only in email
scenario/protocols.
Even in email scenario, I have to deal with equipments (scanner/copiers)
not able to do TLS or not able to deal with a private CA and insisting
to verify the SMTP server Cert to send email, or with broken or outdated
SSL implementation etc ... They support CRAM-MD5. It is still better
than clear text.
I have more than 4000 of such class of equipments behind my servers each
having their problems, bugs, limitations.... Yes in 2019 ... I even
don't talk you about the thousands of proprietary, outdated, customs,
buggy (and combine all as you want) applications that I have to deal
with....
Emmanuel.
More information about the dovecot
mailing list