On 19.6.2019 7.48, Alexander Dalloz via dovecot wrote: > Am 19.06.2019 um 00:04 schrieb Jorge Bastos via dovecot: >> Howdy, >> >> I'm using dovecot and mysql users, and i'm creating the password with: >> >> ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))) >> >> So far so good, everything's fine. >> Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at >> least) >> IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't >> authenticate. >> What am i doing wrong, or that can be done so that all types work (SASL >> PLAIN LOGIN + CRAM-MD5)? >> >> Thanks in advanced, >> > > For shared secret mechanisms like CRAM-MD5 to work the password must > be stored in plaintext AFAIK. That's a good reason not to offer that. > > Alexander >
CRAM-MD5 can also be stored as stage 1 MD5 hashed blob. Only marginally better than plaintext. But as pointed out, CRAM-MD5, DIGEST-MD5 cannot work with crypted passwords. If you want to use "secure passwords", SCRAM-SHA1 is an option, but probably best is to disable other than 'PLAIN' and 'LOGIN' mech unless you know what you are doing. Aki