I do, Aki. This is not the point, however.
The point is that the default is not GDPR compliant, and a first easy alternative is also not GDPR compliant, and decoupling the user scheme from the server storage scheme is not at all obvious. Adopting a GDPR-compliant default would send out the information that the project cares about legal compliance, and a solution is supported by default. -------- Original Message -------- On 2/10/25 11:39, Aki Tuomi <aki.tu...@open-xchange.com> wrote: > > > On 10/02/2025 12:23 EET Rupert Gallagher via dovecot <dovecot@dovecot.org> > wrote: > > > > > > Dovecot aligns the password encryption scheme used by the imap client with > the password storage scheme used by the server. > > > > Since the default is set to plain text, the client sends the password in > plain text (tls tunneled), and the server local storage of passwords is a > plain text file. > > > > For minimum protection, just enough to say you are not using plaintext, > you can use md5, so the client sends the hashed password and the server's > local storage is a plain text file containing hashed passwords. > > > > Last year a GDPR commissioner filed a hefty monetary sanction to a company > because they used md5 to store passwords. > > > > Therefore, Dovecot's plain text default, and the md5 option, are both > non-GDPR compliant. > > > > To avoid monetary sanctions, Dovecot ought to change how it stores > passwords by default. > > > > Please do not ignore this message. > > > > You do understand that it's the admin's responsiblity to choose a safe > password storage, not ours? > > Aki > > _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
