Thanks -----Original Message----- From: Aki Tuomi [mailto:aki.tu...@dovecot.fi] Sent: Friday, 1 September 2017 2:15 AM To: dovecot@dovecot.org; Raymond Sellars Subject: Re: Mixed Autehtnication and password schemes
> The above not suggests I can't use DIGEST-MD5 with master password > configuration, if using more than one passdb setup. I don't understand why > there would be a restriction as the password validation should just fall > through irrespective. > Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL. [Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes. > Problem #2 How do I enforce some kind of account access policy > > As a worse case does Dovecot implement any type of account access policies? > Out IT security reviewers are hot on account policies, i.e. lockouts, > expiries, and back off attempts. > You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements. other than that, dovecot will deter brute force on it's own to some degree. [Raymond] Thanks, i'll need to upgrade but this definitely addresses the requirement. > Thanks > Raymond > Solution Architect - Orion Health Aki Tuomi Dovecot oy
