>The proposal is to only use PLAIN with encryption: > > i) if TLS is in play, use internal PLAIN if the server supports it, else > ii) fail
Right, but TLS doesn't guarantee you're talking to the right server (unless you do certificate verification, and we don't AFAIK); it only guarantees the channel is encrypted; I believe with the current setup Maybe this isn't a practical concern, since I don't think many other people care. It occurs to me that I should set SASL_SEC_NOPLAINTEXT when TLS is not in use. --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
