On Tue, 17 Aug 2004, ml wrote:
I understand that USER/PASS is insecure. However, there are [broken]
servers out there which advertise USER and AUTH CRAM-MD5 but in fact
support USER only! So, when my c-client enabled stuff doesn't work with
such servers, users would complain since their e-mail clients (e.g.
Outlook) would work.
If all you want to do is disable a particular SASL authenticator when it
is broken on the server, then just do e.g.
mail_parameters (NIL,DISABLE_AUTHENTICATOR,CRAM-MD5);
to disable CRAM-MD5.
This will still permit the use of other SASL authenticators. c-client
will never use USER/PASS unless there are no suitable SASL authenticators.
You should never do this unilaterally; the user should be required to
configure it. In particular, note that by default, modern versions of
good POP3 servers disable the USER/PASS commands. So it is *NOT* a good
idea to disable SASL and make a client use USER/PASS by default. In fact,
it is a terrible idea.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
