libsasl + smtp w/o clear passwd storage?

Carson Gaspar carson at
Fri Feb 5 16:58:31 EST 2016

On 2/5/16 1:44 PM, Jan Parcel via Cyrus-devel wrote:
> On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:

>> This used to be possible using DIGEST-MD5, where the server stores
>> MD5(username:realm:password) instead of the plaintext password. This
>> is still a password equivalent, but only for the same realm (where you
>> can define the realm as a single host, or service, or company, or...).

> Well, since md5 is now considered weak, that does not appear to be a loss.

MD5 isn't (AFAIK) vulnerable in this context, but DIGEST-MD5 had other 
issues (see RFC 6331). SCRAM is the better replacement.


More information about the Cyrus-devel mailing list