Yet I believe we have solved this problem:

Remote IMAP/POP3 authentication should be done via STARTTLS or TLS.
Therefore CRAM-MD5 is not necessary and PLAIN or LOGIN auth mechanisms
can be used.

Local authentication (i.e. the webmail server authenticating through
IMAP) can use unsecure connection with PLAIN/LOGIN mechanisms without
substantial risk.

If PLAIN or LOGIN mechanisms are used exclusively, then the cleartext
passwords are not needed and can be set to NULL.

Both IMAP and webmail should be set to use PLAIN or LOGIN mechanisms.

vpopmail should be configured with the '--disable-clear-passwd' option.

Unless I'm missing something, the above steps solve the problem.
Dovecot using cleartext passwords for CRAM-MD5 authentication is not a
bug, it is correct functioning (because the server requires the
cleartext password to authenticate the client).

However, the problem is unsolved for admins who want to serve IMAP/POP3
over an unencrypted channel.  Then they have to maintain CRAM-MD5
capability, which means they must maintain cleartext passwords which do
not exceed 16 characters.  I would argue that this should not be the
default configuration, but rather something that someone can configure
if they desire an especially insecure configuration.


On 10/4/2018 8:00 AM, Remo Mattei wrote:
> +1 
> When I read it.. 
>> On Oct 4, 2018, at 08:10, Andrew Swartz <> wrote:
>> I have ABSOLUTELY NO IDEA what that is supposed to mean.
>> -Andy
>> On 10/4/2018 3:56 AM, Eric Broch wrote:
>>> Here's the answer I got from the Dovecot mailing list concerning the
>>> question of clear text password authentication...not sure how to
>>> implement...ideas? :
>>> On 03.10.2018 23:30, Eric Broch wrote:
>>>> Hello list,
>>>> I run Dovecot with the vpopmail driver and have found that it
>>>> authenticates against the clear text password in the vpopmail
>>>> database. Is there a configuration option either at compile time, link
>>>> time, or a setting in one of the configuration files that tells the
>>>> program to authenticate against the hash instead of the clear text?
>>> Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to