>> Did you perhaps mean to have vpopmail store the user passwords in >> plain text? I'm just checking, because to me it seems to lower >> security and it seems to defeat the purpose of working with hashed >> passwords. Could you please confirm this? > > Yes, thats what I meant by my comment. You need the plain text passwords > in the vpopmail database. Having plain text passwords in the database > doesn't necessarily lower the security as your database can be on a host > which is not accessable to anything by the authenticating machine. > Just to elaborate on the point, CRAM-MD5 authentication REQUIRES that the passwords be stored as plaintext, as that's the only way to verify the MD5 hash provided by the client. Server send the seed string, client concatenates the seed and password (and maybe username, don't remember), and sends the MD5 hash of that. Server then concats the seed it sent with the known plaintext password and compares the MD5 hash it comes up with to that which the client sends.
It's a tradeoff - keeping plaintext passwords on a (hopefully) secure server vs allowing the client to send the password in plaintext over the network (though possibly over an encrypted channel). I like it, but YMMV. Josh Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics vpopm...@honorablemenschen.com !DSPAM:4b22669432713716511896!
