hello dovecot community, question; if my user database and dovecot installation is currently setup to use plain login passwords, and i want to convert to cram-md5, after i configure dovecot accordingly and reset passwords into cram-md5, if anyone uses plain login method again in the future, will it still work? or must they always from this point on use encrypted passwords? Thanks. -- Thanks, Fabian S. OpenPGP: 0x643082042DC83E6D94B86C405E3DAA18A1C22D8F (new key) 0x3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC (to be retired / revoked)
> On 23 April 2018 at 16:14 "Fabian A. Santiago" <fsantiago at garbage-juice.com> wrote: > > > hello dovecot community, > > question; if my user database and dovecot installation is currently setup to use plain login passwords, and i want to convert to cram-md5, after i configure dovecot accordingly and reset passwords into cram-md5, if anyone uses plain login method again in the future, will it still work? or must they always from this point on use encrypted passwords? Thanks.Do not use CRAM-MD5/DIGEST-MD5 mechanisms if you are using SSL/TLS connection. PLAIN/LOGIN is usually sufficiently secure over encrypted transport, and STARTTLS is required over plaintext port too. In general, CRAM-MD5 is designed to authenticate over insecure transport. Aki> > -- > > Thanks, > > Fabian S. > > OpenPGP: > > 0x643082042DC83E6D94B86C405E3DAA18A1C22D8F (new key) > 0x3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC (to be retired / revoked)
On April 23, 2018 9:45:22 AM EDT, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:> >> On 23 April 2018 at 16:14 "Fabian A. Santiago" ><fsantiago at garbage-juice.com> wrote: >> >> >> hello dovecot community, >> >> question; if my user database and dovecot installation is currently >setup to use plain login passwords, and i want to convert to cram-md5, >after i configure dovecot accordingly and reset passwords into >cram-md5, if anyone uses plain login method again in the future, will >it still work? or must they always from this point on use encrypted >passwords? Thanks. > >Do not use CRAM-MD5/DIGEST-MD5 mechanisms if you are using SSL/TLS >connection. PLAIN/LOGIN is usually sufficiently secure over encrypted >transport, and STARTTLS is required over plaintext port too. > >In general, CRAM-MD5 is designed to authenticate over insecure >transport. > >Aki > >> >> -- >> >> Thanks, >> >> Fabian S. >> >> OpenPGP: >> >> 0x643082042DC83E6D94B86C405E3DAA18A1C22D8F (new key) >> 0x3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC (to be retired / revoked)Ok I am using tls and have always been doing so. So I'll leave it alone then. Thanks for your thoughts. -- Fabian A. Santiago OpenPGP: 0x643082042dc83e6d94b86c405e3daa18a1c22d8f (current key) 0x3c3fa072accb7ac5db0f723455502b0eeb9070fc (to be retired / revoked)