Order of SASL2 methods announced? (Cyrus IMAPD2)

Rob Siemborski rjs3 at andrew.cmu.edu
Fri Sep 12 09:34:47 EDT 2003


On Fri, 12 Sep 2003, Pascal Gienger wrote:

> We have some kind of - problem.
>
> We try to understand HOW the different SASL plugins are ordered when doing
> an announcement (. CAPABILITY).

Mostly Randomly.  Somewhat based on the order the plugin is loaded.
Security requirements of SASL basicly dictate that the client ignore the
order they are advertised.

> The problem arises (again) with Microsoft Outlook and Outlook Express.
>
> Outlook breaks when "AUTH=NTLM" is not the FIRST method announced! It gives
> me an error saying "DIGEST-MD5: authentication failed" in Outlook (sure,
> Microsoft products only handle GSSAPI, NTLM and plaintext).

So, if you don't want to use DIGEST (or whatever), restrict what is
advertised with sasl_mech_list.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper





More information about the Info-cyrus mailing list