Hello all, I discovered a few days ago the imapserver.xml plainAuthDisallowed option. It says whether or not the AUTH=PLAIN capability is advertised before a STARTTLS command. The default value is false. Which means that it encourage clients to send credential with usecure medium, and might result in credentials being stolen.
In https://github.com/apache/james-project/pull/613 I propose to switch this behavior to disabled by default: One must switch SSL / STARTTLS on by default before being able to authenticate. This change should be transparent to well configured Email clients, the biggest impact being people testing James with telnet will encounter difficulties. As such I propose to rely on openSSL for our demos. openssl s_client -connect 127.0.0.1:993 ... Cheers, Benoit TELLIER --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
