From: James Cloos <cloos@jhcloos.com>
To: ding@gnus.org
Subject: Re: AUTH=PLAIN support
Date: Sat, 30 Oct 2010 18:37:04 -0400 [thread overview]
Message-ID: <m339rn8fyv.fsf@jhcloos.com> (raw)
In-Reply-To: <m3bp6bjud6.fsf@quimbies.gnus.org> (Lars Magne Ingebrigtsen's message of "Sat, 30 Oct 2010 22:31:01 +0200")
>>>>> "LMI" == Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
LMI> Ok... then we have one server type that says "AUTH=PLAIN", but doesn't
LMI> accept "AUTHENTICATE PLAIN" anyway (Exchange 2010), and we have another
LMI> user with a server that says "AUTH=PLAIN" (Zimbra) that doesn't accept
LMI> anything but "AUTHENTICATE PLAIN" ("LOGIN" doesn't work).
If clients MUST use AUTHENTICATE, then the server MUST report LOGINDISABLED
in its capabilities.
It seems that the idea was to elimitate the LOGIN command on STARTTLS-capable
servers, but they still needed a plain-text passwd option. And so created
AUTH=PLAIN to cover that requirement.
The IMAP-TLS RFC (2505) does say that AUTH=PLAIN should never be used on
an unencrypted socket. (It was necessary because systems which use
/etc/passwd cannot authenticate unless the plain text passwd is available
server-side.)
Or at least that is what I divine from the RFCs. ☺
LMI> So does anybody know what combinations of capabilities should trigger
LMI> "AUTHENTICATE PLAIN" that works across the board?
Probably 'AUTH=PLAIN LOGINDISABLED'.
LMI> You don't authenticate via SSL, do you? That's just a transport,
LMI> not an authentication mechanism? (If I have my terminologies right.)
If the server and client support TLS client certs, all of AAA can happen
at that layer. Once such a TLS session is up, then the IMAP level would
be PREAUTH.
If the session uses port 993 w/ a client cert, then the intial IMAP
greeting would be PREAUTH.
If the session uses STARTTLS, then the first prompt after TLS starts
would be PREAUTH.
In practice, though, I'm not aware of any clients or servers which
support using TLS client certs to pre-authenticate the IMAP session.
But the above is how it is supposed to work, and tls aaa would be the
most secure way to use tls with imap.
(I would note that the certs do not have to be x509. There are options
to use openpgp keys as either server or client certs in tls, and there is
also a standard for using plain text passwds at the tls layer.)
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
next prev parent reply other threads:[~2010-10-30 22:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-30 1:20 Lars Magne Ingebrigtsen
2010-10-30 19:38 ` Tibor Simko
2010-10-30 19:41 ` Lars Magne Ingebrigtsen
2010-10-30 20:22 ` Tibor Simko
2010-10-30 20:31 ` Lars Magne Ingebrigtsen
2010-10-30 20:46 ` Tibor Simko
2010-10-30 22:37 ` James Cloos [this message]
2010-10-31 15:52 ` Lars Magne Ingebrigtsen
2010-10-31 21:31 ` James Cloos
2010-10-31 21:45 ` Russ Allbery
2010-10-31 21:53 ` Lars Magne Ingebrigtsen
2010-11-01 12:23 ` Tibor Simko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m339rn8fyv.fsf@jhcloos.com \
--to=cloos@jhcloos.com \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).