At 16:29 11-12-2009, Eric Shubert wrote:
Shane Chrisp wrote:
Ro Achterberg wrote:

You will need to enable plain text passwords in the database to be able to use cram-md5.

In dovecot-sql.conf, I tried setting default_pass_scheme to both PLAIN and PLAIN-MD5, but none of which seemed to work. I'm probably missing the point.

Did you perhaps mean to have vpopmail store the user passwords in plain text? I'm just checking, because to me it seems to lower security and it seems to defeat the purpose of working with hashed passwords. Could you please confirm this?
Yes, thats what I meant by my comment. You need the plain text passwords in the vpopmail database. Having plain text passwords in the database doesn't necessarily lower the security as your database can be on a host which is not accessable to anything by the authenticating machine.

cram-md5 is a bit outdated. It has two weaknesses, the first of which you've identified, which is that passwords need to be stored in plain text. This is unsuitable for some environments. The second weakness is md5 itself, which is vulnerable in a few different ways (see

I believe that currently the best approach to secure connections is to use TLS/SSL along with either plain or login authentication methods.

In dovecot.conf:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = no
disable_plaintext_auth = yes

You'll also need to configure TLS/SSL.

-Eric 'shubes'

Hi Eric,

Thanks for your reply. I totally agree with you on the weaknesses of (CRAM-)MD5. I'll be offering both CRAM-MD5 and TLS/SSL secured connections, as per your suggestion.

Bye, Ro


Reply via email to