# SSL Certificate Question



## mroussin51 (Oct 9, 2013)

Greetings to you all!

I have installed Dovecot and generated an SSL Certificate and Key using the handy script provided. My question is about password encryption. Does SSL handle encrypting the password or is cram-md5 required for the password to be encrypted.

Thanks in advance!

Mike


----------



## SirDice (Oct 9, 2013)

That depends on what password you mean. The password on the SSL certificate? Or the password on the web application that will be running on SSL?

D'oh. Scratch that. It's dovecot, so POP3 and IMAP. But I think the difference remains the same. Both POP3 and IMAP are clear-text protocols, including the passwords. The "only" thing SSL does is create an encrypted tunnel between the client and the server.


----------



## mroussin51 (Oct 9, 2013)

*I am using IMAPS*

Thanks SirDice;

I am authenticating with IMAPS. I am assuming that my login credentials are encrypted. If I am incorrect please let me know.

Best regards,

Mike


----------



## kpa (Oct 9, 2013)

The login credentials are encrypted if you use IMAPS on port 993. By using SSL you are forcing encryption on the connection from the first handshake and everything is transmitted over the secure channel.


----------



## Anonymous (Oct 9, 2013)

In the case your are using the PLAIN authentication scheme, you might want to verify that the setting disable_plaintext_auth is kept to the default value YES. From /usr/local/etc/dovecot/conf.d/10-auth.conf:


```
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
```

And/or set ssl = required in /usr/local/etc/dovecot/conf.d/10-ssl.conf.

If for any reason a client tries to connect to your IMAP server without TLS, and disable_plaintext_auth = NO then the credentials may go in clear text over the line. You are safe in this respect with disable_plaintext_auth = YES (default) and/or ssl = required.

Another option would be to abandon PLAIN authentication at all in favour of e.g. CRAM-MD5 provided by SASL.


----------



## mroussin51 (Oct 10, 2013)

*Thanks for the feedback*

Thank you gentlemen;

I have made a couple of changes to my IMAPS configuration. Now if I can get cyrus SASL working as well as dovecot works I'll have a working email server.

Thanks again

Mike


----------

