Order of SASL2 methods announced? (Cyrus IMAPD2)

[Pascal Gienger]

Rob Siemborski <rjs3 at andrew.cmu.edu> wrote:

> Mostly Randomly.  Somewhat based on the order the plugin is loaded.
> Security requirements of SASL basicly dictate that the client ignore the
> order they are advertised.
>
>> The problem arises (again) with Microsoft Outlook and Outlook Express.
>>
>> Outlook breaks when "AUTH=NTLM" is not the FIRST method announced! It
>> gives me an error saying "DIGEST-MD5: authentication failed" in Outlook
>> (sure, Microsoft products only handle GSSAPI, NTLM and plaintext).
>
> So, if you don't want to use DIGEST (or whatever), restrict what is
> advertised with sasl_mech_list.

So I would have to disable all but NTLM to be sure AUTH=NTLM is the first 
or only "AUTH" visible. No I won't do this for Microsoft users only because 
of their broken clients.
Users noticed the behaviour because sending mail with SPA/NTLM did work 
(our mail relays use sasl2 with postfix and there "AUTH NTLM"/"AUTH=NTLM" 
is surprisingly the first auth announced):

250-AUTH NTLM PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM PLAIN LOGIN DIGEST-MD5 CRAM-MD5

So this worked. My imapd however gives this:

* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE 
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=DIGEST-MD5 
AUTH=NTLM AUTH=CRAM-MD5 ANNOTATEMORE X-NETSCAPE

And Outlook ALWAYS tries to use "DIGEST-MD5" saying it can't do so. What a 
perfectly dumb and broken client.
I set up a fake imapd (using echo and read) to see how Outlook behaves when 
parsing "AUTH". When putting "AUTH=NTLM" before DIGEST-MD5, Outlook works. 
Quite funny. It's just for the record in case anybody experiences the same 
strange behaviour.

I won't change anything in my installation.
Outlook users can still use SSL if they don't want their password exposed.

Thank you for your clarification!

Pascal