Professa Dementia skrev den 2013-05-12 14:40:
On 5/12/2013 4:17 AM, Steinar Bang wrote:
I prefer not to use clear text passwords, even over an encrypted
connection.
Why? Enforce the encrypted link by not allowing unencrypted
connections. The simplest is iptables to block ports 110 and 143,
while
allowing 993 and 995.
why not disable 110, 143 in dovecot ?, its waste leas in firewalls to
not provide service on blocked ips :)
As long as the underlying SSL/TLS connection utilizes strong
mechanisms,
everything in the connection is secure, including passwords.
plain passwords have no problem in treverse in ssl/tls, but it might
still be possible to store unencrypted cookies on webmail, so this
question is still valid, but this is not a dovecot problem to resolve
more like to remove so bad writed webmail client first
CRAM adds
complexity, without adding security if the connection is already
secure.
yes, avoid pam auth, use unix auth if its unix mailboxes, and setup eg
postfixadmin for virtual users, follow readme in there and it mostly
done with all possible powers of dovecot / postfix, (postfixadmin does
not really need postfix but an sql mta that can make the same querys in
sql)
Just make sure that you have something like fail2ban to block or slow
down dictionary and brute force attacks and make sure you use strong
passwords.
seen in ssl/tls ports ?
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it