+1 Rock it man..
On 2/15/2012 11:26 AM, Eric Shubert wrote:
As part of the upgrade to vpopmail, we're considering removing clear
text passwords from the database. This will improve security, but at
the same time remove some (somewhat insecure) capabilitiy.
The biggest impact I think this will have is that admins will no
longer be able to look up someone's password. In the event that a user
loses their password, the administrator would reset the password to
something temporary, and the user would subsequently change it to
whatever they like. This is the practice followed in many (if not
most) other environments.
The other impact will be the elimination of cram-md5 as an
authentication option. While this doesn't really make QMT any less
secure, it might mean that some clients that were formerly configured
to use cram-md5 would fail to work until their configuration options
were changed.
I honestly do not have a good feel for which or how many devices may
be using cram-md5. There's also a chance that there exists some older
devices (old Nokia phones perhaps?) that use cram-md5 and are unable
to use TLS/SSL. I do doubt that such devices exist, but there's always
that possibility.
In any case, I think it would be prudent for QMT to provide SMTPS
(port 465) before or at the same time that cram-md5 support is
removed. This is something we've talked about already, so assume that
there will be SMTPS capability should cram-md5 (and clear text
passwords) be removed.
That's all I have on this at the moment. Any thoughts?
<shubes ducks>
--
David Milholen
Project Engineer
P:501-318-1300
