Hello everyone.
I've recently found out that there is SCRAM authentication scheme, that
should work without plaintext passwords stored on the server side (unike
CRAM-MD5). So I wanted to try it out. I run cyrus 3.6.1-4+deb12u3 (yes
debian 12 packages), and it properly tells me that SCRAM is available:
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
AUTH=SCRAM-SHA-512 AUTH=SCRAM-SHA-384 AUTH=SCRAM-SHA-256
AUTH=SCRAM-SHA-224 AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=NTLM
AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] mail Cyrus IMAP
3.6.1-Debian-3.6.1-4+deb12u3 server ready
/etc/imapd.conf:
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
I found out that saslpasswd2 has an option -n: Don't set the plaintext
userPassword property for the user. Only mechanism-specific secrets
will be set (e.g. OTP, SCRAM, SRP)
But when I use it: `saslpasswd2 -n -c newuser`, I do not see this new
user added to /etc/sasldb2. After running sasldbconverter2 I see that
users have new property cmusaslsecretuserPassword, but using
hexdump/string I can see that it contains the plaintext passwords too.
So the question is - how do I add SCRAM hashes to sasldb2 ?
Or if sasldb2 is unable to do it, which sasl_method/plugin should i use?
I'd like to get rid of plaintext passwords stored on the server.
Also do you know which email client supports SCRAM?
Neither Thunderbird or Roundcube seem to support it.
--
Best regards
Vladislav Kurz
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T027ec3d59c3cfa81-M938d1a349755f1932468f39c
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
