The same questions apply to POP3 also.
Lyndon Nerenberg wrote:
What are you're thoughts on AUTHENTICATE in this regard? Should a server not advertise the AUTH= capability after authentication has been performed (and succeeded)?
I don't think it really matters (since clients cannot make use of the capability after authentication). In my servers I remove AUTH= from the capability list after authentication, but my primary motivation for this is to eliminate unnecessary protocol chatter.
Apparently some clients may/do want to compare the capabilities before and after authentication to see if they have been changed by a man-in-the-middle. Those of us working on Cyrus think that this is pointless, but should we prevent them from doing so by removing the capabilities?
Since the capability list can change at any time (nothing precludes a server from "growing" new capabilities on the fly -- taking them away would be evil, though), any such client is broken, in my opinion.
--lyndon
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
