Timo Sirainen:
> On Mon, 2009-02-23 at 14:32 -0500, Victor Duchovni wrote:
> > On Mon, Feb 23, 2009 at 02:18:01PM -0500, Timo Sirainen wrote:
> >
> > > In some setups it's useful for authentication handling to know if the
> > > connection is SSL/TLS secured. The patch below should tell this to
> > > Dovecot. It compiles, but other than that I haven't yet tested it.
> >
> > How is this useful? It seems to me that a SASL implementation should
> > validate the credentials and leave policy questions to the MTA. The MTA
> > can decide whether SASL without TLS is sufficient or not.
>
> It's basically the same thing as "disable plaintext authentication",
> except on a per-user (or per-domain, or per-source-IP-range) basis
> rather than globally. There are probably some other use cases that I've
> heard before but can't remember right now.
The MTA gets the Dovecot mechanism list first, including PLAIN or
LOGIN. Then the MTA sends the user's login name and password and
the TLS session state, and then Dovecot says no you can't do that.
What's the point?
> The same problem exists with the global "disable plaintext
> authentication" flag.
Right now, MTA makes the decision not to announce PLAIN or LOGIN,
therefore the client won't send plaintext.
Wietse
