mail_server: Consider implementing CRAM-MD5 / DIGEST-MD5 authentication
We generate an htpasswd-type database with username:hash
pairs for each user, which suffices for PLAIN and LOGIN authentication. We only offer IMAP and SMTP authentication over TLS, so this should be robust. Providing CRAM-MD5 or DIGEST-MD5 requires a different server-side storage solution, which may require us to save the passwords in plaintext on the server, but will allow "Encrypted" passwords in Thunderbird etc.
It's a trade-off between transport security and server security, and I'm not 100% convinced it's worth it. Filing a bug to think about it later.