>>>>> Aki Tuomi <aki.tuomi at dovecot.fi>:
> On 2017-03-25 17:54, Steinar Bang wrote:
>> This is a PAM module that listens for password changes, and will update
>> the MD5 password for a user, in a file that dovecot can read, when the
>> user's password is changed:
>> https://github.com/steinarb/pam_dovecotmd5pwd
>>
>> Caveat emptor! (Works for me...! :-) )
> Maybe you could update the PAM module to upgrade user's passwords to
> something safer than MD5? Like SSHA515 or CRYPT-SHA512? =)
Is it possible to do CRAM[1] with any of these encryption methods?
And, if so: are these encryption methods widely supported by clients?
The essential part for me was to have something widely supported by
clients, where the password isn't transferred over the wire as part of
the authentication
The last time I looked cram-md5 was the only candidate for not
transferring the password in cleartext during authentication (and with
dovecot cram-md5 requires a special passwd file, which is why I wrote
this pam module in the first place).
References:
[1] <https://en.wikipedia.org/wiki/Challenge?response_authentication>