Dovecot mail-crypt webmail can't read encrypted messages
Jochen Bern
Jochen.Bern at binect.de
Tue Oct 11 17:04:54 UTC 2022
On 11.10.22 18:04, John Tulp wrote:
> in mitigating such risk, why not go for the "low hanging fruit" by
> simply not storing passwords on disk in clear text ? unless there is
> some reason why clear text passwords actually have to be written to
> disk.
Authentication schemes like CRAM-MD5 require the server to have the
plaintext password *available* for / prior to the authentication (it is
therefor usually called a "shared secret" instead).
Before you ask, one benefit from using such schemes is that the password
does not have to go through the wire, not even inside encryption (that a
MitM may or may not be able to crack), so it's not a clear all-out FAIL
to use those.
Whether the password is still in cleartext *when written to / read from
disk* is another question, but that would be a negligible defense
against someone who rooted your server.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
More information about the dovecot
mailing list