On Fri, 20 Sep 2002 13:28:08 -0400, Jeffrey I. Schiller wrote: > I can live with Mark's proposed paragraph.
I think that's the only way out of this problem. As far as I can tell, the most that a server can do to address Cyrus' concern is to add LOGINDISABLED (described in RFC 2595), and remove plaintext SASL mechanisms (specifically PLAIN and LOGIN), from the CAPABILITY list. Beyond that, we can not do anything more. If this is to be done, then it's more than just changing that paragraph in the AUTHENTICATE command. Let me issue a new draft with all this in mind.
