missing plain authentication explained?

Ross Boylan ross at biostat.ucsf.edu
Fri Jul 21 22:15:54 EDT 2006


On Fri, Jul 21, 2006 at 09:24:09AM -0700, Ross Boylan wrote:
> On Fri, Jul 21, 2006 at 12:06:36PM +0200, Phil Pennock wrote:
> > On 2006-07-20 at 23:04 -0700, Ross Boylan wrote:
> > > Shouldn't AUTH=PLAIN appear on that capability list?  I was able to
> > > login using CRAM-MD5.
> > > 
> > > My imapd.conf includes
> > > allowplaintext:: yes
> > 
> > Do you really have "::" instead of ":" in your config?
> No; that was a transcription error.  Sorry about that.
> So the original file has
> allowplaintext: yes

The docs say that PLAIN is not advertised unless one has TLS, which I
think means one is within a TLS session.

I'm not entirely clear about whether PLAIN can be used, even if not
advertised, if the session is not secure.  Since I'm doing everything
on one box, it's not a big security risk (I think).

Ross


More information about the Info-cyrus mailing list