Hi Odhiambo, Thanks for the info!
Let's drop that field from the DB and any php code that stores it.
I agree. Currently, the domain admins can reset any user's password. Is that adequate for the cases where the users forget? Thanks, Gordon On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
Hi Godron,
I am using Dovecot (2.2.4) with MySQL.
In my dovecot-sql.conf, I have:
default_pass_scheme = MD5-CRYPT password_query = SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id
And I have authentication working well.
I therefore have no need for the cleartext field in the DB except that I've graciously used it to tell users what their passwd is when they forget - which I don't think pleases them though, because they then fail to use strong passwords, as they will be 'known':)
Let's drop that field from the DB and any php code that stores it.
On 18 July 2013 20:55, <gecko(a)exim4u.org> wrote:
Hi Odhiambo,
Sorry for not replying back to you sooner. I've been away on vacation for several weeks and just got back home.
The cleartext password dates back to the original Vexim code as Avleen Vig recently stated on the Vexim Mailing list:
"Indeed. The storage of the 'clear' field was something one company requested way back in 2003 I think. In hindsight it was a *terrible* idea, but I was young and naive at the time."
See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
In any event, I agree with you and Avleen that we need to get rid of the cleartext password. Have you achieved any progress using crypt with dovecot? Here is a "Howto" on disabling saving of passwords in clear text with Vexim:
http://axel.sjostedt.no/misc/dev/vexim-customizations/
But the referenced IMAP client is Courier instead of Dovecot. Nevertheless, it shouldn't be that hard with Dovecot. FWIW, I intend to fix this issue in a future release of Exim4U so that the passwords are not stored in plain text. Please let me know if you have made any progress here and, if so, would you please share your work? I would prefer not to reinvent the wheel if it isn't necessary.
Thanks,
Gordon
On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
Someone please remind me why we authenticate users using cleartext passwords with exim4u.
Why are we not using the crypt field? Anyone using crypt, please share dovecot-sql.conf, please.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users