SCRAM-SHA-256/512 could be one.
Aki
> On 10/02/2025 16:13 EET Jochen Bern via dovecot <dovecot@dovecot.org> wrote:
>
>
> On 10.02.25 14:18, Aki Tuomi wrote:
> > I am not sure how we should actually implement this. Do you mean
> > that we should require that you always provide a password scheme
> > for credentials, or require explicit {PLAIN} prefix or what?
> > Everything costs something and has unexpected side-effects, like
> > breaking everyone's master password authentication, in this case.
>
> My deminickel: IIUC (someone correct me if I'm wrong), there still isn't
> any widely available authentication scheme (for SMTP/POP/IMAP) that
> would simultaneously avoid a) some secret being sent to the server upon
> login and b) storing the secret on the server (effectively) in
> plaintext. Depending on implementation details, *either* can qualify as
> a violation of GDPR - or whatever other legislation you're under.
>
> In the case of a), one needs to properly secure the channel through
> which the password is sent (and then some, like scrubbing the memory
> after the OK ...) to avoid the liability. I doubt that it can be
> construed that the dovecot developers are somehow responsible for the
> server operator's duty of keeping the SSL privkey secret, the server
> cert exchanged before expiry, the CA that issued it in the good graces
> of whatever trust anchor set's maintainers, etc. etc..
>
> As it is, a default dovecot installation is appropriate for slapping it
> onto one's laptop, fiddling with only a couple config lines, temporarily
> starting it, and moving a bunch of e-mails to local archive files with
> one's MUA running on the same laptop; trying to install it for a serious
> public-facing mailserver with similar ease SHOULD not succeed IMHO,
> because it'd be proof that the person doing that never spent a thought
> on important design decisions (storage backend yadda yadda ad nauseam).
>
> If it is indeed possible to make all those decisions on the admins'
> behalf and deliver an *actual* turnkey "unwashed Internet access grade"
> variant, feel free to call it "dovecot-ee" or somesuch ...
>
> Kind regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
