Fwd: [Bug 2792] an option to restrict probing for users' existence
adibuciuman at gmail.com
Sat Apr 8 06:43:04 EDT 2006
>------- Additional Comments From murch at andrew.cmu.edu 2006-04-07 11:18 ------
>I assume that you want the generic "authentication failure" in both
>------- Additional Comments From murch at andrew.cmu.edu 2006-04-07 16:07 ------
>Fixed in CVS (2.2 and 2.3). Not returning "user not found" in protocol is now
>the standard behavior.
For me it doesn't really matter. I have two servers, and both are
accessible only from private networks. But if I found something I
believe is odd, I usually report it.
Returning "user not found" may be more useful for troubleshooting.
("Is the password wrong, or is @domain needed after username??")
Public accessible sites probably like a generic "authentication failure".
On the other hand, according to RFC 3501 in section 11.2 page 93:
"A server error message for a failing LOGIN command SHOULD NOT specify
that the user name, as opposed to the password, is invalid."
(Why not the same requirement for AUTHENTICATE ?)
More information about the Info-cyrus