Agreed.

-Andy


On 10/5/2018 10:40 AM, Remo Mattei wrote:
> My suggestions is to give an option to select which one the user wants to 
> install. 
> 
> So maybe we have one version with clear and one without, which means the 
> script will need to prompt you to select 
> 
> Remo 
> 
>> On Oct 5, 2018, at 11:35, Eric Broch <ebr...@whitehorsetc.com> wrote:
>>
>> actual:
>>
>> vdir=/home/vpopmail
>>
>> ./configure --prefix=%{vdir} \
>>         --enable-vpopuser=vpopmail \
>>         --enable-vpopgroup=vchkpw \
>>         --enable-libdir=%{_libdir}/mysql \
>>         --disable-roaming-users \
>>         --enable-tcprules-prog=/usr/bin/tcprules \
>>         --enable-tcpserver-file=/etc/tcprules.d/tcp.smtp \
>>         --enable-make-seekable \
>>         --enable-clear-passwd \
>>         --disable-users-big-dir \
>>         --enable-qmail-ext \
>>         --disable-ip-alias-domains \
>>         --enable-auth-module=mysql \
>>         --disable-passwd \
>>         --enable-logging=v \
>>         --enable-log-name=vpopmail \
>>         --disable-mysql-limits \
>>         --enable-valias \
>>         --disable-many-domains \
>>         --enable-non-root-build
>>
>>
>> On 10/5/2018 12:25 PM, Eric Broch wrote:
>>> vpopmail directory = /home/vpopmail
>>>                uid = 89
>>>                gid = 89
>>>      roaming users = OFF --disable-roaming-users   (default)
>>>  password learning = OFF --disable-learn-passwords (default)
>>>      md5 passwords = ON  --enable-md5-passwords    (default)
>>>       file locking = ON  --enable-file-locking     (default)
>>> vdelivermail fsync = OFF --disable-file-sync       (default)
>>>      make seekable = ON  --enable-make-seekable    (default)
>>>       clear passwd = ON  --enable-clear-passwd     (default)
>>>  user dir hashing  = OFF --disable-users-big-dir
>>> address extensions = ON  --enable-qmail-ext
>>>           ip alias = OFF --disable-ip-alias-domains (default)
>>>        auth module = mysql --enable-auth-module=mysql
>>>  mysql replication = OFF --disable-mysql-replication (default)
>>>        sql logging = OFF --disable-sql-logging       (default)
>>>       mysql limits = OFF --disable-mysql-limits      (default)
>>>       MySQL valias = ON  --enable-valias
>>>           auth inc = -I/usr/include/mysql
>>>           auth lib = -L/usr/lib64/mysql  -lmysqlclient -lz -lm
>>>   system passwords = OFF --disable-passwd (default)
>>>         pop syslog = log success and errors including passwords
>>>                          --enable-logging=v
>>>       auth logging = ON  --enable-auth-logging (default)
>>> one domain per SQL table = --disable-many-domains
>>>
>>>
>>> On 10/5/2018 11:03 AM, Andrew Swartz wrote:
>>>> Eric,
>>>>
>>>> What configuration options do you use when compiling vpopmail?
>>>>
>>>> -Andy
>>>>
>>>>
>>>>
>>>>
>>>> On 10/4/2018 9:17 AM, Andrew Swartz wrote:
>>>>> Yet I believe we have solved this problem:
>>>>>
>>>>> Remote IMAP/POP3 authentication should be done via STARTTLS or TLS.
>>>>> Therefore CRAM-MD5 is not necessary and PLAIN or LOGIN auth mechanisms
>>>>> can be used.
>>>>>
>>>>> Local authentication (i.e. the webmail server authenticating through
>>>>> IMAP) can use unsecure connection with PLAIN/LOGIN mechanisms without
>>>>> substantial risk.
>>>>>
>>>>> If PLAIN or LOGIN mechanisms are used exclusively, then the cleartext
>>>>> passwords are not needed and can be set to NULL.
>>>>>
>>>>> Both IMAP and webmail should be set to use PLAIN or LOGIN mechanisms.
>>>>>
>>>>> vpopmail should be configured with the '--disable-clear-passwd' option.
>>>>>
>>>>> Unless I'm missing something, the above steps solve the problem.
>>>>> Dovecot using cleartext passwords for CRAM-MD5 authentication is not a
>>>>> bug, it is correct functioning (because the server requires the
>>>>> cleartext password to authenticate the client).
>>>>>
>>>>> However, the problem is unsolved for admins who want to serve IMAP/POP3
>>>>> over an unencrypted channel.  Then they have to maintain CRAM-MD5
>>>>> capability, which means they must maintain cleartext passwords which do
>>>>> not exceed 16 characters.  I would argue that this should not be the
>>>>> default configuration, but rather something that someone can configure
>>>>> if they desire an especially insecure configuration.
>>>>>
>>>>> -Andy
>>>>>
>>>>>
>>>>>
>>>>> On 10/4/2018 8:00 AM, Remo Mattei wrote:
>>>>>> +1
>>>>>>
>>>>>> When I read it..
>>>>>>
>>>>>>> On Oct 4, 2018, at 08:10, Andrew Swartz <awswa...@acsalaska.net> wrote:
>>>>>>>
>>>>>>> I have ABSOLUTELY NO IDEA what that is supposed to mean.
>>>>>>>
>>>>>>> -Andy
>>>>>>>
>>>>>>>
>>>>>>> On 10/4/2018 3:56 AM, Eric Broch wrote:
>>>>>>>> Here's the answer I got from the Dovecot mailing list concerning the
>>>>>>>> question of clear text password authentication...not sure how to
>>>>>>>> implement...ideas? :
>>>>>>>>
>>>>>>>> On 03.10.2018 23:30, Eric Broch wrote:
>>>>>>>>> Hello list,
>>>>>>>>>
>>>>>>>>> I run Dovecot with the vpopmail driver and have found that it
>>>>>>>>> authenticates against the clear text password in the vpopmail
>>>>>>>>> database. Is there a configuration option either at compile time, link
>>>>>>>>> time, or a setting in one of the configuration files that tells the
>>>>>>>>> program to authenticate against the hash instead of the clear text?
>>>>>>>>>
>>>>>>>> Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT})
>>>>>>>>
>>>>>>>>
>>>>>>>> --------------------------------------------------------------------- 
>>>>>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>>>>>> For additional commands, e-mail: 
>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>>>>
>>>>>>
>>>
>>
>> -- 
>> Eric Broch
>> White Horse Technical Consulting (WHTC)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
> 
> 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to