>With the rest of Lyndon's proposal in place, we wouldn't need >the explicit -sasl -tls. Very nice.
Thinking about it ... I realize I missed this part of his proposal. I'm not so sure I like the idea of defaulting to -sasl being on. While the traditional SASL mechanisms (CRAM-MD5, DIGEST-MD5, GSSAPI, etc) are safe to send to an unknown/untrusted server, PLAIN is not; it sends the password in the clear (well, it's base64 encoded for SMTP and you're only supposed to use it over an encrypted channel, but you get the idea). If you do that with an untrusted server, boom, there goes your password. Maybe that's not a valid concern, but I'd rather require the user to configure that. --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
