On 2024-12-22 01:42, Peter via Postfix-users wrote: >> >> What's worth mentioning is that PLAIN/LOGIN also requires cleartext >> password storage - on the client side. > > This is not entirely true. It is possible for a client to store > passwords in an encrypted db which is decrypted with its own password or
Usually, when talking about cleartext storage, it's only about possibility to recover passwords. For the server side - you can have FDE, data-at-rest encryption in database and even own encryption enrolled for some backend to decrypt using it's own key, and yet you won't pass any compliance audit. Client having cleartext eventually will decrypt it and is still vulnerable to accepting invalid server certificate, downgrading TLS or some local client app tracing. I've been recovering account passwords this way several months ago, they were stored on office scanners/printers, various scripts spread all over the servers etc. and it was simply easier to harvest them on redirected mail gateway than actually having to find all of these systems... > key. It is true, however, that for ALL mechs some sort of > authentication token must be available in plain text at some point on > the client side. I've mentioned this exactly in previously mentioned OAuth2 context. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
