On Mon, 2009-02-23 at 16:49 -0500, Wietse Venema wrote: > > It's basically the same thing as "disable plaintext authentication", > > except on a per-user (or per-domain, or per-source-IP-range) basis > > rather than globally. There are probably some other use cases that I've > > heard before but can't remember right now. > > The MTA gets the Dovecot mechanism list first, including PLAIN or > LOGIN. Then the MTA sends the user's login name and password and > the TLS session state, and then Dovecot says no you can't do that. > > What's the point?
The same server may handle multiple different domains where some require that SSL/TLS is enabled for authentication to succeed, while for other domains it must be only optional. The server doesn't know if it requires SSL/TLS until it knows the SASL username.
signature.asc
Description: This is a digitally signed message part
