Shane Chrisp wrote:
Ro Achterberg wrote:
You will need to enable plain text passwords in the database to be
able to use cram-md5.
In dovecot-sql.conf, I tried setting default_pass_scheme to both PLAIN
and PLAIN-MD5, but none of which seemed to work. I'm probably missing
Did you perhaps mean to have vpopmail store the user passwords in
plain text? I'm just checking, because to me it seems to lower
security and it seems to defeat the purpose of working with hashed
passwords. Could you please confirm this?
Yes, thats what I meant by my comment. You need the plain text passwords
in the vpopmail database. Having plain text passwords in the database
doesn't necessarily lower the security as your database can be on a host
which is not accessable to anything by the authenticating machine.
cram-md5 is a bit outdated. It has two weaknesses, the first of which
you've identified, which is that passwords need to be stored in plain
text. This is unsuitable for some environments. The second weakness is
md5 itself, which is vulnerable in a few different ways (see
I believe that currently the best approach to secure connections is to
use TLS/SSL along with either plain or login authentication methods.
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = no
disable_plaintext_auth = yes
You'll also need to configure TLS/SSL.