Peter, If you are using ports 110/143, which are clear-text, then you should switch to 993/995 (if possible, of course).
Ports 993/995 are never intentionally clear-text; they are either TLS or STARTTLS. Many servers/clients can be configured for either, but they cannot be configured for both because the initial protocol sequences are incompatible. If 993/995 are configured for TLS, you can use PLAIN auth method and not give it another thought. But if configured for STARTTLS, it must be set to "require" STARTTLS rather than just "if available". If you can "require" STARTTLS, then PLAIN auth is secure because the login cannot not be sent unencrpyted. But if the connection is configured as "STARTTLS if available", then failure to initiate the STARTTLS will result in continuing with a clear text session. In this scenario, a PLAIN auth would be very dangerous. Hope this helps. -Andy On 8/13/2018 11:43 PM, Peter Peltonen wrote: > Thanks for the suggestions! > > So if I have only plain and login auth mechanisms enabled, what does > that mean in practice security wise? > > Any ideas why the error is happening sometimes but not always and why > aut_cache settings would fix the problem? Is it related to caching > credentials for different devices / clients for same account? > > Best, > Peter > > On Tue, Aug 14, 2018 at 5:52 AM, Eric Broch <ebr...@whitehorsetc.com> wrote: >> I'd remove DIGEST-MD5 from 'auth_mechanisms'. >> >> >> >> On 8/13/2018 3:01 PM, Peter Peltonen wrote: >>> >>> I have a user with Outlook 2016 having this error appearing in the >>> Dovecot logs and not being able to login when it occurs >>> >>> The strange thing is that if I restart dovecot then the Outlook can >>> login and no error: >>> >>> method=DIGEST-MD5, rip=xxx, lip=yyy, mpid=23280, TLS >>> >>> What I have for auth mechanisms in toaster.conf is: >>> >>> auth_mechanisms = plain login digest-md5 >>> >>> I thought it was a dovecot cache issue and I changed >>> >>> cache_key=%u >>> >>> to >>> >>> cache_key=%u%r >>> >>> but the problem reappeared after a week. >>> >>> This is an old QMT installation on COS5. >>> >>> Best, >>> Peter >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >>> >> >> -- >> Eric Broch >> White Horse Technical Consulting (WHTC) >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > -- Andrew W. Swartz, MD Departments of Emergency Medicine, Family Medicine, and Surgery Yukon-Kuskokwim Delta Regional Hospital Bethel, Alaska
smime.p7s
Description: S/MIME Cryptographic Signature