[Dovecot] Looking for a good way to manage passwords for CRAM-MD5
Noel
noeldude at gmail.com
Tue May 14 22:44:42 EEST 2013
On 5/14/2013 12:39 PM, /dev/rob0 wrote:
> On Sun, May 12, 2013 at 05:40:10AM -0700, Professa Dementia wrote:
>> On 5/12/2013 4:17 AM, Steinar Bang wrote:
>>> I prefer not to use clear text passwords, even over an encrypted
>>> connection.
>> Why? Enforce the encrypted link by not allowing unencrypted
>> connections. The simplest is iptables to block ports 110 and 143,
>> while allowing 993 and 995.
> I don't understand this advice. Why would someone who is apparently
> interested in heightened transport security restrict himself to the
> older generation SSL v.2, which was long ago superceded by TLS v.1?
Forcing the connection to 993/995 does not imply SSLv2. TLSv1.[012]
is still negotiated. There is no decrease in security.
> http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0
> http://wiki2.dovecot.org/SSL
>
> Quoting from the latter page:
>
> "Some admins want to require SSL/TLS, but don't realize that this is
> also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes
> and ssl=required settings)."
It's not unreasonable to disable the plaintext ports to minimize the
possibility of a fat-fingered accident.
-- Noel Jones
More information about the dovecot
mailing list