RE: Dovecot's default password storage scheme is not GDPR compliant

Mon, 10 Feb 2025 05:06:22 -0800 

Thumbs up for that.
It costs nothing and adds value. Cant see any downsides (which might exist, aki might elaborate). 
Bitranox


*Von:* Rupert Gallagher via dovecot <dovecot@dovecot.org>

*Gesendet:* Montag, 10. Februar 2025 um 13:51 MEZ

*An:* aki.tu...@open-xchange.com <aki.tu...@open-xchange.com>

*Kopie:* dovecot <dovecot@dovecot.org>
*Betreff:* RE: Dovecot's default password storage scheme is not GDPR compliant 



I do, Aki.

This is not the point, however.

The point is that the default is not GDPR compliant, and a first easy 
alternative is also not GDPR compliant, and decoupling the user scheme from the 
server storage scheme is not at all obvious. Adopting a GDPR-compliant default 
would send out the information that the project cares about legal compliance, 
and a solution is supported by default.


-------- Original Message --------
On 2/10/25 11:39, Aki Tuomi<aki.tu...@open-xchange.com> wrote:
> On 10/02/2025 12:23 EET Rupert Gallagher via dovecot<dovecot@dovecot.org> wrote: 
  >
  >
  > Dovecot aligns the password encryption scheme used by the imap client with 
the password storage scheme used by the server.
  >
  > Since the default is set to plain text, the client sends the password in 
plain text (tls tunneled), and the server local storage of passwords is a plain 
text file.
  >
  > For minimum protection, just enough to say you are not using plaintext, you 
can use md5, so the client sends the hashed password and the server's local 
storage is a plain text file containing hashed passwords.
  >
  > Last year a GDPR commissioner filed a hefty monetary sanction to a company 
because they used md5 to store passwords.
  >
  > Therefore, Dovecot's plain text default, and the md5 option, are both 
non-GDPR compliant.
  >
  > To avoid monetary sanctions, Dovecot ought to change how it stores 
passwords by default.
  >
  > Please do not ignore this message.
  >
You do understand that it's the admin's responsiblity to choose a safe password storage, not ours? Aki 
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org




_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to