On Tue, Mar 11, 2003 at 11:10:47AM +0100, Andreas Aardal Hanssen wrote:
> LOGINDISABLED is a hint to the client that can't do a plain text
> authentication. It saves a roundtrip.. if the server does not say
Just to drive the nail home: it's more than just a hint, it's a critically important
policy enforcement and security feature.
This capability is useful to prevent clients compliant with this
specification from sending an unencrypted password in an environment
subject to passive attacks. ...
And of course, any non-PtP IP network is an environment subject to passive attacks
which pretty much covers nearly every situation in which a user is accessing an IMAP
server.
Unlike other protocols where the username and password are sent as two separate steps
(e.g. POP3's USER/PASS), with IMAP password authentication (i.e. LOGIN), it is a
single line so the server doesn't get an opportunity to stop the client from
transmitting the secret with a "TLS REQUIRED" type message.
C=)
--
--------------------------------------------------------------------------
Better the hard truth than the comforting fantasy. -- Carl Sagan
--------------------------------------------------------------------------
Caskey <caskey*technocage.com> /// TechnoCage Inc.
--------------------------------------------------------------------------
A presumption on your part does not constitute an obligation on my part.
