Eric,

What configuration options do you use when compiling vpopmail?

-Andy




On 10/4/2018 9:17 AM, Andrew Swartz wrote:
> Yet I believe we have solved this problem:
> 
> Remote IMAP/POP3 authentication should be done via STARTTLS or TLS.
> Therefore CRAM-MD5 is not necessary and PLAIN or LOGIN auth mechanisms
> can be used.
> 
> Local authentication (i.e. the webmail server authenticating through
> IMAP) can use unsecure connection with PLAIN/LOGIN mechanisms without
> substantial risk.
> 
> If PLAIN or LOGIN mechanisms are used exclusively, then the cleartext
> passwords are not needed and can be set to NULL.
> 
> Both IMAP and webmail should be set to use PLAIN or LOGIN mechanisms.
> 
> vpopmail should be configured with the '--disable-clear-passwd' option.
> 
> Unless I'm missing something, the above steps solve the problem.
> Dovecot using cleartext passwords for CRAM-MD5 authentication is not a
> bug, it is correct functioning (because the server requires the
> cleartext password to authenticate the client).
> 
> However, the problem is unsolved for admins who want to serve IMAP/POP3
> over an unencrypted channel.  Then they have to maintain CRAM-MD5
> capability, which means they must maintain cleartext passwords which do
> not exceed 16 characters.  I would argue that this should not be the
> default configuration, but rather something that someone can configure
> if they desire an especially insecure configuration.
> 
> -Andy
> 
> 
> 
> On 10/4/2018 8:00 AM, Remo Mattei wrote:
>> +1 
>>
>> When I read it.. 
>>
>>> On Oct 4, 2018, at 08:10, Andrew Swartz <awswa...@acsalaska.net> wrote:
>>>
>>> I have ABSOLUTELY NO IDEA what that is supposed to mean.
>>>
>>> -Andy
>>>
>>>
>>> On 10/4/2018 3:56 AM, Eric Broch wrote:
>>>> Here's the answer I got from the Dovecot mailing list concerning the
>>>> question of clear text password authentication...not sure how to
>>>> implement...ideas? :
>>>>
>>>> On 03.10.2018 23:30, Eric Broch wrote:
>>>>> Hello list,
>>>>>
>>>>> I run Dovecot with the vpopmail driver and have found that it
>>>>> authenticates against the clear text password in the vpopmail
>>>>> database. Is there a configuration option either at compile time, link
>>>>> time, or a setting in one of the configuration files that tells the
>>>>> program to authenticate against the hash instead of the clear text?
>>>>>
>>>>
>>>> Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
>>>>  
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>
> 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to