Re: [courier-users] Only 8 characters of the password required - Johnny C. Lam - net.sourceforge.lists.courier-users

5 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Only 8 characters...

From	Sent On	Attachments
Andreas Grabner	Sep 26, 2007 9:03 am
Lisa Muir	Sep 26, 2007 9:30 am
Andreas Grabner	Sep 26, 2007 9:59 am
Johnny C. Lam	Sep 26, 2007 11:09 am
Andreas Grabner	Sep 27, 2007 1:18 am

Subject:	Re: [courier-users] Only 8 characters of the password required
From:	Johnny C. Lam (jlam...@buildlink.org)
Date:	Sep 26, 2007 11:09:28 am
List:	net.sourceforge.lists.courier-users

Andreas Grabner wrote:

Am Mittwoch, den 26.09.2007, 17:31 +0100 schrieb Lisa Muir:

On 9/26/07, Andreas Grabner <andr...@vianova.cc> wrote:

I have just figured out that only the first 8 characters of passwords are significant and the rest is irrelevant. Have i missed some configuration? I think this is a security issue.

In my experience, this would indicate that you're encrpting passwords with the CRYPT function, try using SHA or MD5 instead to avoid the 8 character limitation, but bear in mind that you loose a certain amount of system portability with your passwords which may or may not be an issue.

Thanks, i use

IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN

Doesn't this mean plain passwords in TLS connection? Should not have something to do with crypt. Right?

The passwords may be cleartext over the connection, but they're probably stored in encrypted form in your MySQL database. Just make sure the passwords are encrypted using something other than the {CRYPT} hash, e.g. {SHA} or {MD5}.

I have plain passwords in the database which AUTH mechanism should be preferred? Clients are Outlook [Express] and others?

IIRC, either PLAIN or LOGIN should work.

Cheers,

-- Johnny Lam

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets