On 12/06/2014 02:35 AM, Nick Edwards wrote: > On 12/5/14, ML mail <mlnos...@yahoo.com> wrote: >> Hello, >> >> I am wondering which variant is more secure for user authentication and >> password scheme. Basically I am looking at both variants: >> >> 1) MD5-CRYPT password scheme storage with CRAM-MD5 auth mechanism >> 2) SHA512-CRYPT password scheme storage with PLAIN auth mechanism >> >> In my opinion the option 2) should be safer although it is using PLAIN auth >> mechanism. Of course I would always use STARTTLS and not allow unencrypted >> connection. > > Thats not exactly a true statement, if you offer STARTTLS you are > optional on encryption, if you mean not allow unencrypted connections > then you are forcing TLS, not STARTTLS since the latter is designed to > accept unencrypted and then _try_ upgrade to encryption if possible, > if not, stay unencrypted.
If you add disable_plaintext_auth=yes ssl=required settings, then dovecot will drop authentication without STARTTLS. But damage will be done, client will send unencrypted (or in this scenario MD5 or SHA512 hash) login/password. http://wiki2.dovecot.org/SSL >> What is your opinion? >> > Number 2 as the other poster said without hesitation and for reasons he said +1 -- Jan Wideł Senior System Administrator e-mail: jan.wi...@networkers.pl mobile: +48 797 004 946 www: http://www.networkers.pl GPG: http://networkers.pl/GPG/2E7359CD.asc