Mark Crispin wrote:
You have a point; and this is something that should be addressed in a document revision.
The IMAP specification (RFC 3501) doesn't allow STARTTLS after authentication (since STARTTLS is a Not Authenticated state command).
I believe that: . multiple STARTTLS is absurd . a port 993 server (SSL IMAP) should not advertise the STARTTLS capability . a port 143 server should not advertise the STARTTLS capability after STARTTLS has been negotiated . if the STARTTLS capability has not been advertised, the appropriate response to the STARTTLS command is a "BAD Unknown command" error.
What are you're thoughts on AUTHENTICATE in this regard? Should a server not advertise the AUTH= capability after authentication has been performed (and succeeded)?
Apparently some clients may/do want to compare the capabilities before and after authentication to see if they have been changed by a man-in-the-middle. Those of us working on Cyrus think that this is pointless, but should we prevent them from doing so by removing the capabilities?
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
