Re: [qmailtoaster] Re: Can I disable CRAM-MD5 authentication for submission service?

Thu, 12 Sep 2013 05:22:08 -0700 

Eric,
Why wouldn't it be possible to keep the plaintext password field in the vpopmail database, but protect it? I would think you could compile vpopmail to keep the cleartext passwords, but then create an additional user in the DB (an "admin" user) and restrict rights to view that field to the admin user. (NOTE: You still have to have write permission to that field from the vpopmail user so that updates/changes can be recorded). 

Just an idea...

Dan McAllister

On 9/10/2013 12:39 PM, Eric Shubert wrote:

On 09/10/2013 08:06 AM, Johannes Weberhofer wrote:


P.S. Just to be clear, plain-text passwords are required for any
implementation of cram-md5, not just qmail's. That's a weakness which
is inherent in the protocol.


The wiki page says, that some (dovecot) implementation stores a

intermediate step of HMAC, so I guess there is anoter way to do that, 
too.


I sit corrected. :)
http://wiki2.dovecot.org/HowTo/CRAM-MD5

Again, I don't know off hand. I suspect that it's vpopmail which needs 
the clear text for it's implementation of cram-md5.



If vpopmail can be configured/changed in such a way that it uses a 
password hash instead of clear text for cram-md5, that would seem to 
be ideal. I'm not adverse to keeping cram-md5, but I think the storage 
of plain text passwords needs to go bye-bye. I know of several 
potential users we've lost due to this, and it's simply a bad practice.



I know there are some users who have expressed a preference to keep 
plain text passwords. It would be nice to have an option whereby they 
could continue this insecure practice, and I will try to provide this 
option if it doesn't take too much work. I think the 'stock' QMT 
should not be configured in this manner though, and someone else may 
need to do the development to make this possible if I can't come up 
with an easy way to accommodate it.





--

PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806

CALL TOLL FREE:
  877-IT4SOHO

877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax

We have support plans for QMail!


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
























					Reply via email to