chibenwa commented on PR #3049:
URL: https://github.com/apache/james-project/pull/3049#issuecomment-4544996132

   > The additional announcement has been introduced this year and is not 
included in any release, I think.
   
   It was backported to previous release branches I presume, not yet released
   
   > Do you still remember what the initial reason was for announcing 
capabilities after authentication? Was there some client that expected James to 
do so?
   
   A security report originating from a large mailing company (this is PMC 
private so I cannot disclose it)
   
   This was not a security issue but more the fact we do not re-advertize 
capability after STARTTLS
   
   > Regardless, the ABNF in the RFC is quite clear that it should only happen 
if a SASL security layer has been negotiated.
   
   Then fair sorry I may have misunderstood the ABNF or read the RFC too 
quickly.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to