Help on CRAM-MD5

Alexander Dalloz ad+lists at uni-x.org
Thu Jun 20 23:49:18 EEST 2019


Am 20.06.2019 um 12:28 schrieb FUSTE Emmanuel via dovecot:
> Le 20/06/2019 à 11:59, @lbutlr via dovecot a écrit :
>> On 20 Jun 2019, at 02:53, FUSTE Emmanuel via dovecot <dovecot at dovecot.org> wrote:
>>> There is plenty of context where TLS is not possible/desirable.
>> I’d say that is terrible advice. There are no reasonable contexts where is it is acceptable to send mail credentials without encryption. My users have had to use STARTTLS for submission for many many years. Insecure connections from users are not an option.
> Please, don't make me say what I did not say.
> I use the word "context". I did not talk about "sending mail
> credentials" no more I talk about Internet.
> And even with that, don't restrict the world as your use case .The world
> is not Internet only too.
> And SASL and by extend the CRAM-MD5 mech is not used only in email
> scenario/protocols.
> 
> Even in email scenario, I have to deal with equipments (scanner/copiers)
> not able to do TLS or not able to deal with a private CA and insisting
> to verify the SMTP server Cert to send email, or with broken or outdated
> SSL implementation etc ... They support CRAM-MD5. It is still better
> than clear text.
> I have more than 4000 of such class of equipments behind my servers each
> having their problems, bugs, limitations.... Yes in 2019 ... I even
> don't talk you about the thousands of proprietary, outdated, customs,
> buggy (and combine all as you want) applications that I have to deal
> with....
> 
> Emmanuel.

Hopefully we all remember the big hacks where masses of unencrypted or 
at least unsufficiently secured credentials were stolen. That's what I 
worry about and why CRAM-MD5 is no wise choice at all.

Alexander





More information about the dovecot mailing list