[POLL] Defaulting allowplaintext to disabled
Ken Murchison
murch at andrew.cmu.edu
Tue Mar 27 13:02:59 EST 2007
After thinking about bug #2922 some more, and discussing it with Jeff, I
now agree that it would be nice to have the allowplaintext option
control both the protocol-specific plaintext login commands (IMAP,
LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS), and the plaintext SASL
mechanisms (PLAIN, LOGIN). However there is still one outstanding
problem, which is that the allowplaintext option is enabled by default,
meaning that PLAIN w/o TLS would be enabled by default, thus violating a
MUST [NOT] in RFC 3501, with a side-effect of making me quite ill.
Since sending passwords in the clear sucks, and I would like to think
that most reasonable admins disable this option anyways, would anyone
have a major gripe if we change the allowplaintext option to default to
disabled in the 2.3.9 release? Obviously, we will document this change
prominently in the release notes.
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2922
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
More information about the Cyrus-devel
mailing list