On 05/10/2014 04:27 PM, Brian J. Rogers wrote: > I know this isn't exactly "linux" but I'm still hoping someone here might > know. > > When it comes to postfix/dovecot, how secure is plain password? I assume > from the name it means that it is just a plaintext password sent over the > wire. Is that really what it is? > > Does anyone know if a good tutorial that I can follow to setup a mail > server with postfix and dovecot that will cover SSL/TLS with encrypted > passwords? > > I need to setup a mail server but I'd like for it to relatively secure.
PLAIN authentication is most often used because it works well with LDAP and Kerberos backends (though SMTP and IMAP can both use Kerberos ticketss directly). There are many ways of encrypting and hashing passwords, and even on Linux we've had MD5 in the olden days, and SHA1 as well (/etc/shadow). PLAIN allows postfix or dovecot to interface with any backend password store. Otherwise you'd need a dedicated password store just for postfix and dovecot. As Richard said, you can and should use TLS or SSL to encrypt the entire channel. Some resources that might help: http://wiki.centos.org/HowTos/postfix_sasl http://wiki2.dovecot.org/Authentication http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html I have postfix and dovecot up and running (using a mysql database for user information rather than the local password file). I can certainly share relevant parts of my config. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
