[jira] [Created] (JAMES-3636) IMAP plainAuthDisallowed should be true by default

Benoit Tellier (Jira) Mon, 23 Aug 2021 19:10:05 -0700

Benoit Tellier created JAMES-3636:
-------------------------------------

             Summary: IMAP plainAuthDisallowed should be true by default
                 Key: JAMES-3636
                 URL: https://issues.apache.org/jira/browse/JAMES-3636
             Project: James Server
          Issue Type: Improvement
          Components: IMAPServer
    Affects Versions: 3.6.0
            Reporter: Benoit Tellier
             Fix For: 3.7.0



Encouraging non encrypted login is definitely a bad practice and could lead to 
session  fixation (where the attacker logs in first then the victim do not 
realize it's login fails).

We should make the safe 'plainAuthDisallowed' option the default everywhere.





--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (JAMES-3636) IMAP plainAuthDisallowed should be true by default

Reply via email to