Mark Crispin <[EMAIL PROTECTED]> wrote: > On Tue, 30 Dec 2003, Paul Jarc wrote: >> How about this: CAPABILITY IMAP4rev1 AUTH=ANONYMOUS LOGINDISABLED >> Would clients be prepared for that? > > That capability string is fine for an anonymous-only server. My client > code would handle that OK, but you'd have to configure it to use anonymous > access since otherwise it'd want to do a non-anonymous authentication (and > complain that it can't).
Ok, I'll try that. If I find that some clients can't handle it, I guess I'll add "anonymous"-only LOGIN. In that case, do you think I should also allow AUTH=PLAIN with "anonymous" as the username? I guess some clients might send a real username and password belonging to another service, only to be rejected here, but sniffers would still get the password. But I don't know whether advertising AUTH=PLAIN would make this any more likely. paul
