> On March 26, 2017 at 2:24 PM Steinar Bang <s...@dod.no> wrote: > > > >>>>> Aki Tuomi <aki.tu...@dovecot.fi>: > > > On 2017-03-25 17:54, Steinar Bang wrote: > >> This is a PAM module that listens for password changes, and will update > >> the MD5 password for a user, in a file that dovecot can read, when the > >> user's password is changed: > >> https://github.com/steinarb/pam_dovecotmd5pwd > >> > >> Caveat emptor! (Works for me...! :-) ) > > > Maybe you could update the PAM module to upgrade user's passwords to > > something safer than MD5? Like SSHA515 or CRYPT-SHA512? =) > > Is it possible to do CRAM[1] with any of these encryption methods? > And, if so: are these encryption methods widely supported by clients? > > The essential part for me was to have something widely supported by > clients, where the password isn't transferred over the wire as part of > the authentication > > The last time I looked cram-md5 was the only candidate for not > transferring the password in cleartext during authentication (and with > dovecot cram-md5 requires a special passwd file, which is why I wrote > this pam module in the first place). > > References: > [1] <https://en.wikipedia.org/wiki/Challenge–response_authentication>
Is there some reason you cannot protect your users with TLS/SSL? Using CRAM-MD5 is not very secure option, since you have to store the password in clear text. Plain MD5 is almost plaintext these days. Aki
