On 10.02.25 14:18, Aki Tuomi wrote:
I am not sure how we should actually implement this. Do you mean
that we should require that you always provide a password scheme
for credentials, or require explicit {PLAIN} prefix or what?
Everything costs something and has unexpected side-effects, like
breaking everyone's master password authentication, in this case.
My deminickel: IIUC (someone correct me if I'm wrong), there still isn't
any widely available authentication scheme (for SMTP/POP/IMAP) that
would simultaneously avoid a) some secret being sent to the server upon
login and b) storing the secret on the server (effectively) in
plaintext. Depending on implementation details, *either* can qualify as
a violation of GDPR - or whatever other legislation you're under.
In the case of a), one needs to properly secure the channel through
which the password is sent (and then some, like scrubbing the memory
after the OK ...) to avoid the liability. I doubt that it can be
construed that the dovecot developers are somehow responsible for the
server operator's duty of keeping the SSL privkey secret, the server
cert exchanged before expiry, the CA that issued it in the good graces
of whatever trust anchor set's maintainers, etc. etc..
As it is, a default dovecot installation is appropriate for slapping it
onto one's laptop, fiddling with only a couple config lines, temporarily
starting it, and moving a bunch of e-mails to local archive files with
one's MUA running on the same laptop; trying to install it for a serious
public-facing mailserver with similar ease SHOULD not succeed IMHO,
because it'd be proof that the person doing that never spent a thought
on important design decisions (storage backend yadda yadda ad nauseam).
If it is indeed possible to make all those decisions on the admins'
behalf and deliver an *actual* turnkey "unwashed Internet access grade"
variant, feel free to call it "dovecot-ee" or somesuch ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
