On Mon, 10 Mar 2003, Dale Woolridge wrote: >On 10-Mar-2003 13:55 Charlie Brady wrote: >| An IMAP server MAY advertise that the >| LOGIN command is disabled by including the LOGINDISABLED capability >| in the capability response. >| ... >| An IMAP server which implements STARTTLS MUST implement support for >| the LOGINDISABLED capability on unencrypted connections. >| An IMAP client which complies with this specification MUST NOT issue >| the LOGIN command if this capability is present. >| So, how does the server implement "LOGINDISABLED" if it doesn't advertise >| the capability in the capability response? > It is somewhat vague, although I would certainly interpret "MUST > implement support for LOGINDISABLED capability" as meaning it must > also advertise it in the cap response; it the advertisement is moved > from MAY to MUST in this special case. Are there other circumstances > under which one might want to advertise LOGINDISABLED? > Is bincimapd behaving correctly in this respect?
LOGINDISABLED is a hint to the client that can't do a plain text authentication. It saves a roundtrip.. if the server does not say LOGINDISABLED, and the client tries to authenticate (and it fails), the client can "guess" that it has to try SSL and see if it works. So from what I understand, LOGINDISABLED isn't really a capability in the english word's original context. >| > As far as I can tell, it won't be able to do >| > that unless you put something else in the chain to give it the hint. >| If local policy required encryption, then you would set up the process >| chain so that bincimap wasn't ever executed until TLS had been negotiated >| and the client successfully authenticated. > Or you only offered tls/ssl service on ports dedicated for that purpose, > optionally disabling the same non-tls/ssl services on other ports. > STARTTLS really does seem more trouble than its worth. Trade-off. STARTTLS means you can allow both plain and SSL connections to the same port. So for firewallers, they can have only one entry point instead of two. SSL on port 993 means you can use an SSL enabled wrapper instead of native code. For us, native SSL support allows the rev2 STARTTLS mandatory implementation, while allowing it to be switched off with no hassle. With only a hundred or so lines of code it's no problem for me. The port 993 thingo is more likely to get deprecated from the protocol's POV, than STARTTLS. Andy -- Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg Author of Binc IMAP | Nil desperandum
