libsasl + smtp w/o clear passwd storage?
Carson Gaspar
carson at taltos.org
Fri Feb 5 16:54:38 EST 2016
On 2/5/16 1:41 PM, Carson Gaspar via Cyrus-devel wrote:
> On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
>> I think there MUST be a way to use libsasl with smtp without storing
>> passwords in the clear, and ESPECIALLY not on each local system, but
>> nowhere in the docs is an example for how to do so.
>
> This used to be possible using DIGEST-MD5, where the server stores
> MD5(username:realm:password) instead of the plaintext password. This is
> still a password equivalent, but only for the same realm (where you can
> define the realm as a single host, or service, or company, or...).
>
> Sadly, Cyrus SASL removed support for this long ago, and now requires
> the plaintext password be stored for anything other than auth methods
> that send the password in the clear. Nobody ever explained what the
> reasoning was for this change, and it still makes me sad.
Of course, if support were to be added back for non-plaintext password
storage, it should be for SCRAM. (SCRAM needs to store
HMAC(Hi(Normalize(password), salt, i), "Client Key"))
--
Carson
More information about the Cyrus-devel
mailing list