Howdy,
Answering all, so cram-md5 is old, don't want then!
I only noticed thunderbird as default using this, so, won't implement it!
Thanks for the clarify,
-----Original Message-----
From: dovecot <dovecot-boun...@dovecot.org> On Behalf Of Aki Tuomi via dovecot
Sent: 19 de junho de 2019 07:31
To: Alexander Dalloz <ad+li...@uni-x.org>; dovecot@dovecot.org
Subject: Re: Help on CRAM-MD5
On 19.6.2019 7.48, Alexander Dalloz via dovecot wrote:
> Am 19.06.2019 um 00:04 schrieb Jorge Bastos via dovecot:
>> Howdy,
>>
>> I'm using dovecot and mysql users, and i'm creating the password with:
>>
>> ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
>>
>> So far so good, everything's fine.
>> Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at
>> least)
>> IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't
>> authenticate.
>> What am i doing wrong, or that can be done so that all types work
>> (SASL PLAIN LOGIN + CRAM-MD5)?
>>
>> Thanks in advanced,
>>
>
> For shared secret mechanisms like CRAM-MD5 to work the password must
> be stored in plaintext AFAIK. That's a good reason not to offer that.
>
> Alexander
>
CRAM-MD5 can also be stored as stage 1 MD5 hashed blob. Only marginally better
than plaintext. But as pointed out, CRAM-MD5, DIGEST-MD5 cannot work with
crypted passwords. If you want to use "secure passwords",
SCRAM-SHA1 is an option, but probably best is to disable other than 'PLAIN' and
'LOGIN' mech unless you know what you are doing.
Aki
