[POLL] Defaulting allowplaintext to disabled

Florian G. Pflug fgp at phlo.org
Wed Mar 28 14:44:39 EST 2007

Ken Murchison wrote:
> After thinking about bug #2922 some more, and discussing it with Jeff, I 
> now agree that it would be nice to have the allowplaintext option 
> control both the protocol-specific plaintext login commands (IMAP, 
> mechanisms (PLAIN, LOGIN).  However there is still one outstanding 
> problem, which is that the allowplaintext option is enabled by default, 
> meaning that PLAIN w/o TLS would be enabled by default, thus violating a 
> MUST [NOT] in RFC 3501, with a side-effect of making me quite ill.
> Since sending passwords in the clear sucks, and I would like to think 
> that most reasonable admins disable this option anyways, would anyone 
> have a major gripe if we change the allowplaintext option to default to 
> disabled in the 2.3.9 release?  Obviously, we will document this change 
> prominently in the release notes.

Sounds perfect to me.

Now that I read my comment to the bug again, it sounds a bit harsh -
I should have written that more politely. I hope I didn't offend
anyone - it was remembering my frustration after hours of debugging my
not-working proxy auth that spoke in that comment :-(

So, thank you *very* *much* for reconsidering your decision, and again
sorry for my tone.

greetings, Florian Pflug

More information about the Cyrus-devel mailing list