Le 20/06/2019 à 11:59, @lbutlr via dovecot a écrit : > On 20 Jun 2019, at 02:53, FUSTE Emmanuel via dovecot <dovecot@dovecot.org> > wrote: >> There is plenty of context where TLS is not possible/desirable. > I’d say that is terrible advice. There are no reasonable contexts where is it > is acceptable to send mail credentials without encryption. My users have had > to use STARTTLS for submission for many many years. Insecure connections from > users are not an option. Please, don't make me say what I did not say. I use the word "context". I did not talk about "sending mail credentials" no more I talk about Internet. And even with that, don't restrict the world as your use case .The world is not Internet only too. And SASL and by extend the CRAM-MD5 mech is not used only in email scenario/protocols.
Even in email scenario, I have to deal with equipments (scanner/copiers) not able to do TLS or not able to deal with a private CA and insisting to verify the SMTP server Cert to send email, or with broken or outdated SSL implementation etc ... They support CRAM-MD5. It is still better than clear text. I have more than 4000 of such class of equipments behind my servers each having their problems, bugs, limitations.... Yes in 2019 ... I even don't talk you about the thousands of proprietary, outdated, customs, buggy (and combine all as you want) applications that I have to deal with.... Emmanuel.
