At 16:29 11-12-2009, Eric Shubert wrote:
Shane Chrisp wrote:
Ro Achterberg wrote:
Yes, thats what I meant by my comment. You need the plain text
passwords in the vpopmail database. Having plain text passwords in
the database doesn't necessarily lower the security as your
database can be on a host which is not accessable to anything by
the authenticating machine.
You will need to enable plain text passwords in the database to
be able to use cram-md5.
In dovecot-sql.conf, I tried setting default_pass_scheme to both
PLAIN and PLAIN-MD5, but none of which seemed to work. I'm
probably missing the point.
Did you perhaps mean to have vpopmail store the user passwords in
plain text? I'm just checking, because to me it seems to lower
security and it seems to defeat the purpose of working with hashed
passwords. Could you please confirm this?
cram-md5 is a bit outdated. It has two weaknesses, the first of
which you've identified, which is that passwords need to be stored
in plain text. This is unsuitable for some environments. The second
weakness is md5 itself, which is vulnerable in a few different ways
I believe that currently the best approach to secure connections is
to use TLS/SSL along with either plain or login authentication methods.
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = no
disable_plaintext_auth = yes
You'll also need to configure TLS/SSL.
Thanks for your reply. I totally agree with you on the weaknesses of
(CRAM-)MD5. I'll be offering both CRAM-MD5 and TLS/SSL secured
connections, as per your suggestion.