On 09/10/2013 08:06 AM, Johannes Weberhofer wrote:
P.S. Just to be clear, plain-text passwords are required for any
implementation of cram-md5, not just qmail's. That's a weakness which
is inherent in the protocol.
The wiki page says, that some (dovecot) implementation stores a
intermediate step of HMAC, so I guess there is anoter way to do that, too.
I sit corrected. :)
http://wiki2.dovecot.org/HowTo/CRAM-MD5
Again, I don't know off hand. I suspect that it's vpopmail which needs
the clear text for it's implementation of cram-md5.
If vpopmail can be configured/changed in such a way that it uses a
password hash instead of clear text for cram-md5, that would seem to be
ideal. I'm not adverse to keeping cram-md5, but I think the storage of
plain text passwords needs to go bye-bye. I know of several potential
users we've lost due to this, and it's simply a bad practice.
I know there are some users who have expressed a preference to keep
plain text passwords. It would be nice to have an option whereby they
could continue this insecure practice, and I will try to provide this
option if it doesn't take too much work. I think the 'stock' QMT should
not be configured in this manner though, and someone else may need to do
the development to make this possible if I can't come up with an easy
way to accommodate it.
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
