CAPABILITY response in banner, how to disable it?

[ktm at rice.edu]

On Wed, Oct 31, 2012 at 02:12:36PM +0100, Michael Neumann wrote:
> Hello,
> 
> we recently switched from imapd version 2.2.12 to 2.4.12. Now my
> cellphone with bada-os 2.0 wont use the idle feature anymore. I assume
> the problem lies in the change that happened in version 2.3.4, the
> changelog states:
> "Implemented CAPABILITY response in banner and after authentication."
> 
> The old version responded something like this:
> > TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
> > S: * OK Cyrus IMAP4 v2.2.13-Debian-2.2.13-13ubuntu3 server ready
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR
> > S: C01 OK Completed
> > Please enter your password:
> 
> The new version responds like this:
> > TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> > S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] mail Cyrus IMAP v2.4.12-Debian-2.4.12-2 server ready
> > Please enter your password:
> > C: A01 AUTHENTICATE PLAIN string
> > S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED IDLE] Success (tls protection)
> 
> So it seems since the change in version 2.3.4 the imapd announces some
> CAPABILITYs already in the greeting/banner, but only a subset of the
> CAPABILITYs missing "idle" for example. The full CAPABILITYs string is
> presented after login. Now i guess that is the reason that i cant select
> the idle feature (push-sync) on my bada 2 device anymore. There is the
> option "serverinfo" in imapd.conf, but using this option has no
> influence on the CAPABILITYs string in the greeting. Is there a way to
> return to the old behaviour, or is there a good reason not to return to
> the old behaviour?
> 
> Best regards
> Michael

Hi Michael,

The new behavior, if something that changed 7 years ago when 2.3.0 was released,
announces the available capabilities. Until you have logged in, you actually cannot
use IDLE. Then when you have logged in to the server, the additional available
capabilities are displayed. The previous behavior allowed unauthenticated accesses
to gain information about the underlying services and systems that could be used to
facilitate an exploit. The new behavior is a big improvement but I do understand
the problem of working with poor client-side implementations.  :( Maybe you could
put a proxy in front of the server that could provide the previous behavior just
for the use of your device.

Regards,
Ken