./configure --prefix=%{vdir} \
        --enable-vpopuser=vpopmail \
        --enable-vpopgroup=vchkpw \
        --enable-libdir=%{_libdir}/mysql \
        --disable-roaming-users \
        --enable-tcprules-prog=/usr/bin/tcprules \
        --enable-tcpserver-file=/etc/tcprules.d/tcp.smtp \
        --enable-make-seekable \
        --enable-clear-passwd \
        --disable-users-big-dir \
        --enable-qmail-ext \
        --disable-ip-alias-domains \
        --enable-auth-module=mysql \
        --disable-passwd \
        --enable-logging=v \
        --enable-log-name=vpopmail \
        --disable-mysql-limits \
        --enable-valias \
        --disable-many-domains \

On 10/5/2018 12:25 PM, Eric Broch wrote:
vpopmail directory = /home/vpopmail
               uid = 89
               gid = 89
     roaming users = OFF --disable-roaming-users   (default)
 password learning = OFF --disable-learn-passwords (default)
     md5 passwords = ON  --enable-md5-passwords    (default)
      file locking = ON  --enable-file-locking     (default)
vdelivermail fsync = OFF --disable-file-sync       (default)
     make seekable = ON  --enable-make-seekable    (default)
      clear passwd = ON  --enable-clear-passwd     (default)
 user dir hashing  = OFF --disable-users-big-dir
address extensions = ON  --enable-qmail-ext
          ip alias = OFF --disable-ip-alias-domains (default)
       auth module = mysql --enable-auth-module=mysql
 mysql replication = OFF --disable-mysql-replication (default)
       sql logging = OFF --disable-sql-logging       (default)
      mysql limits = OFF --disable-mysql-limits      (default)
      MySQL valias = ON  --enable-valias
          auth inc = -I/usr/include/mysql
          auth lib = -L/usr/lib64/mysql  -lmysqlclient -lz -lm
  system passwords = OFF --disable-passwd (default)
        pop syslog = log success and errors including passwords
      auth logging = ON  --enable-auth-logging (default)
one domain per SQL table = --disable-many-domains

On 10/5/2018 11:03 AM, Andrew Swartz wrote:

What configuration options do you use when compiling vpopmail?


On 10/4/2018 9:17 AM, Andrew Swartz wrote:
Yet I believe we have solved this problem:

Remote IMAP/POP3 authentication should be done via STARTTLS or TLS.
Therefore CRAM-MD5 is not necessary and PLAIN or LOGIN auth mechanisms
can be used.

Local authentication (i.e. the webmail server authenticating through
IMAP) can use unsecure connection with PLAIN/LOGIN mechanisms without
substantial risk.

If PLAIN or LOGIN mechanisms are used exclusively, then the cleartext
passwords are not needed and can be set to NULL.

Both IMAP and webmail should be set to use PLAIN or LOGIN mechanisms.

vpopmail should be configured with the '--disable-clear-passwd' option.

Unless I'm missing something, the above steps solve the problem.
Dovecot using cleartext passwords for CRAM-MD5 authentication is not a
bug, it is correct functioning (because the server requires the
cleartext password to authenticate the client).

However, the problem is unsolved for admins who want to serve IMAP/POP3
over an unencrypted channel.  Then they have to maintain CRAM-MD5
capability, which means they must maintain cleartext passwords which do
not exceed 16 characters.  I would argue that this should not be the
default configuration, but rather something that someone can configure
if they desire an especially insecure configuration.


On 10/4/2018 8:00 AM, Remo Mattei wrote:

When I read it..

On Oct 4, 2018, at 08:10, Andrew Swartz <> wrote:

I have ABSOLUTELY NO IDEA what that is supposed to mean.


On 10/4/2018 3:56 AM, Eric Broch wrote:
Here's the answer I got from the Dovecot mailing list concerning the
question of clear text password authentication...not sure how to
implement...ideas? :

On 03.10.2018 23:30, Eric Broch wrote:
Hello list,

I run Dovecot with the vpopmail driver and have found that it
authenticates against the clear text password in the vpopmail
database. Is there a configuration option either at compile time, link
time, or a setting in one of the configuration files that tells the
program to authenticate against the hash instead of the clear text?

Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT})

--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Eric Broch
White Horse Technical Consulting (WHTC)

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to