On Tue, 2025-08-12 at 08:47 +1000, Viktor Dukhovni via Postfix-users wrote: > Don't. They address completely the wrong threat model. Transmission > confidentiality is better handled with TLS. And with PLAIN the server > stores only password hashes, while while CRAM-MD5 it stores password > cleartext. So unless your users are issued strongly random > server-specific passwords (like all my "PLAIN" users) that they'd never > reuse for any other purpose, you should avoid CRAM-MD5, ... and stick to > PLAIN.
More complicated than that, though. I just have /etc/sasl2/smtpd.conf using "auxprop_plugin: sasldb", and sasldb only provides plaintext passwords. As emphasized at https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/sysadmin.html ---- For simplicity sake, the Cyrus SASL library stores plaintext passwords only in the /etc/sasldb2 database. These passwords are then shared among all mechanisms which choose to use it. Depending on the exact database method used (gdbm, ndbm, or db) the file may have different suffixes or may even have two different files ("sasldb.dir" and "sasldb.pag"). It is also possible for a server to define it's own way of storing authentication secrets. Currently, no application is known to do this. The principle problem for a system administrator is to make sure that sasldb is properly protected; only the servers that need to read it to verify passwords should be able to. If there are any normal shell users on the system, they must not be able to read it. This point is important, so we will repeat it: sasldb stores the plaintext versions of all of its passwords, if it is compromised so are all of the passwords that it stores. ---- In my case, the client is gnome evolution mail, the server is postfix, and the database is sasldb2. I'm not sure what you mean by "with PLAIN the server stores only password hashes", so I'm curious how you achieved that. Otherwise PLAIN just uses plaintext passwords and is nothing special. On a related point, I later noticed that the mechanism list *must* be specified in *both* postfix at smtpd_sasl_mechanism_filter= *and* at /etc/sasl2/smtpd.conf, mech_list:, where I was missing DIGEST-MD5. Including DIGEST-MD5 in /etc/sasl2/smtpd.conf, gnome evolution can use that too, and it works. Lots of details to track. Some of this is academic, since we would presume "handled with TLS" anyway. Still, I very much agree with 'users are issued strongly random server-specific passwords (like all my "PLAIN" users) that they'd never reuse for any other purpose', for only the port 465 server, or for only any other server using SASL. James _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
