Hi Mark, --On Friday, September 20, 2002 9:22 AM -0700 Mark Crispin <[EMAIL PROTECTED]> wrote:
|> I don't think there is |> any practical way of forcing an IMAP server to turn off LOGIN in any kind |> of open environment (University for example). | | Interestingly, it's easier for universities to turn off LOGIN (we have!) | than it is for enterprises. It just means that many clients don't work | with our servers. Of course, *our* preferred client works just fine... Turning off LOGIN on the server won't stop clients that expect it to be present from sending the LOGIN command when SSL is not being used, thus exposing the plain text password. The bottom line is you cannot stop clients from sending LOGIN and exposing plain text passwords. The current draft does state clients SHOULD NOT use LOGIN except as a last restort and that is something that needs to be encouraged. Also, the current (and proposed) wordings for the AUTHENTICATE command only suggest that the server should (must) not allow plain text passwords without SSL. I think the burden for that check should also lie with the client to prevent clients being tricked into sending plain text passwords over an insecure link, and I would like to see the wording changed to include clients doing this check. -- Cyrus Daboo
