From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/73735 Path: news.gmane.org!not-for-mail From: James Cloos Newsgroups: gmane.emacs.gnus.general Subject: Re: AUTH=PLAIN support Date: Sat, 30 Oct 2010 18:37:04 -0400 Message-ID: References: <871v77fp3p.fsf@pcuds33.cern.ch> <87pqure8hr.fsf@pcuds33.cern.ch> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: dough.gmane.org 1288478453 25421 80.91.229.12 (30 Oct 2010 22:40:53 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sat, 30 Oct 2010 22:40:53 +0000 (UTC) To: ding@gnus.org Original-X-From: ding-owner+M22104@lists.math.uh.edu Sun Oct 31 00:40:49 2010 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1PCK6S-0007RV-Jw for ding-account@gmane.org; Sun, 31 Oct 2010 00:40:48 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1PCK5q-00082a-BF; Sat, 30 Oct 2010 17:40:10 -0500 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1PCK5o-00082J-Ka for ding@lists.math.uh.edu; Sat, 30 Oct 2010 17:40:08 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtp (Exim 4.72) (envelope-from ) id 1PCK5i-0006Ua-Di for ding@lists.math.uh.edu; Sat, 30 Oct 2010 17:40:06 -0500 Original-Received: from eagle.jhcloos.com ([207.210.242.212]) by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian)) id 1PCK5h-000713-00 for ; Sun, 31 Oct 2010 00:40:01 +0200 Original-Received: by eagle.jhcloos.com (Postfix, from userid 10) id 1571E400E5; Sat, 30 Oct 2010 22:39:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1288478392; bh=8fNQhKm9p6rahyW+CkR6dxJIELLykOs6JgtIGenCS7s=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=xT6El/v3G1AnhJJRacVfsSbM7mmrG5me0E0XGNaJYojYeg1a76KDsHFcDqUQp9Ac2 yDB6+uJTJzrff7Z283msshJYvBGo/XrcJ2Er6oFMZHhD9bJDXQZn6wEcgvizalHI4f 0oNr4Ng81wLczjXl00804GvhAj7oMmOZynr0+e0I= Original-Received: from carbon (localhost [127.0.0.1]) by carbon.jhcloos.org (Postfix) with ESMTP id 16E9C1EA3C6 for ; Sat, 30 Oct 2010 22:37:05 +0000 (UTC) In-Reply-To: (Lars Magne Ingebrigtsen's message of "Sat, 30 Oct 2010 22:31:01 +0200") User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/24.0.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAI1J REFUOE+lU9ESgCAIg64P1y+ngUdxhl5H8wFbbM0OmUiEhKkCYaZThXCo6KE5sCbA1DDX3genvO4d eBQgEMaM5qy6uWk4SfBYfdu9jvBN9nSVDOKRtwb+I3epboOsOX5pZbJNsBJFvmQQ05YMfieIBnYX FK2N6dOawd97r/e8RjkTLzmMsiVgrAoEugtviCM3v2WzjgAAAABJRU5ErkJggg== Copyright: Copyright 2009 James Cloos OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Original-Lines: 52 X-Hashcash: 1:30:101030:ding@gnus.org::trEHwgRgMayFz791:000suOLW X-Spam-Score: -1.8 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:73735 Archived-At: >>>>> "LMI" =3D=3D Lars Magne Ingebrigtsen writes: LMI> Ok... then we have one server type that says "AUTH=3DPLAIN", but do= esn't LMI> accept "AUTHENTICATE PLAIN" anyway (Exchange 2010), and we have anot= her LMI> user with a server that says "AUTH=3DPLAIN" (Zimbra) that doesn't ac= cept LMI> anything but "AUTHENTICATE PLAIN" ("LOGIN" doesn't work). If clients MUST use AUTHENTICATE, then the server MUST report LOGINDISABL= ED in its capabilities. It seems that the idea was to elimitate the LOGIN command on STARTTLS-cap= able servers, but they still needed a plain-text passwd option. And so create= d AUTH=3DPLAIN to cover that requirement. The IMAP-TLS RFC (2505) does say that AUTH=3DPLAIN should never be used o= n an unencrypted socket. (It was necessary because systems which use /etc/passwd cannot authenticate unless the plain text passwd is available server-side.) Or at least that is what I divine from the RFCs. =E2=98=BA LMI> So does anybody know what combinations of capabilities should trigge= r LMI> "AUTHENTICATE PLAIN" that works across the board? Probably 'AUTH=3DPLAIN LOGINDISABLED'. LMI> You don't authenticate via SSL, do you? That's just a transport, LMI> not an authentication mechanism? (If I have my terminologies right.= ) If the server and client support TLS client certs, all of AAA can happen at that layer. Once such a TLS session is up, then the IMAP level would be PREAUTH. If the session uses port 993 w/ a client cert, then the intial IMAP greeting would be PREAUTH. If the session uses STARTTLS, then the first prompt after TLS starts would be PREAUTH. In practice, though, I'm not aware of any clients or servers which support using TLS client certs to pre-authenticate the IMAP session. But the above is how it is supposed to work, and tls aaa would be the most secure way to use tls with imap. (I would note that the certs do not have to be x509. There are options to use openpgp keys as either server or client certs in tls, and there is also a standard for using plain text passwds at the tls layer.) -JimC --=20 James Cloos OpenPGP: 1024D/ED7DAEA6