> On 10/02/2025 12:23 EET Rupert Gallagher via dovecot <dovecot@dovecot.org> > wrote: > > > Dovecot aligns the password encryption scheme used by the imap client with > the password storage scheme used by the server. > > Since the default is set to plain text, the client sends the password in > plain text (tls tunneled), and the server local storage of passwords is a > plain text file. > > For minimum protection, just enough to say you are not using plaintext, you > can use md5, so the client sends the hashed password and the server's local > storage is a plain text file containing hashed passwords. > > Last year a GDPR commissioner filed a hefty monetary sanction to a company > because they used md5 to store passwords. > > Therefore, Dovecot's plain text default, and the md5 option, are both > non-GDPR compliant. > > To avoid monetary sanctions, Dovecot ought to change how it stores passwords > by default. > > Please do not ignore this message. >
You do understand that it's the admin's responsiblity to choose a safe password storage, not ours? Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
