libsasl + smtp w/o clear passwd storage?

Carson Gaspar carson at
Fri Feb 5 16:41:06 EST 2016

On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
> I think there MUST be a way to use libsasl with smtp without storing
> passwords in the clear, and ESPECIALLY not on each local system, but
> nowhere in the docs is an example for how to do so.

This used to be possible using DIGEST-MD5, where the server stores 
MD5(username:realm:password) instead of the plaintext password. This is 
still a password equivalent, but only for the same realm (where you can 
define the realm as a single host, or service, or company, or...).

Sadly, Cyrus SASL removed support for this long ago, and now requires 
the plaintext password be stored for anything other than auth methods 
that send the password in the clear. Nobody ever explained what the 
reasoning was for this change, and it still makes me sad.


More information about the Cyrus-devel mailing list