[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rationale for this change?

From: Simon Josefsson
Subject: Re: Rationale for this change?
Date: Thu, 29 Dec 2005 12:14:30 +0100
User-agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)

David Kastrup <address@hidden> writes:

> 2005-12-05  Ralf Angeli  <address@hidden>
>       * mail/smtpmail.el (smtpmail-try-auth-methods):
>       Send credentials together with "AUTH PLAIN" command.
> I have not seen this discussed on the list, and it feels to me that
> this defeats system administrators who disable "AUTH PLAIN" because
> they consider the access path to the mail server under their
> administration unsafe for plain text transfers.  While the
> authentication is refused, the authentication data itself is still
> sent through the network after this change, making the refusal of
> "AUTH PLAIN" ineffective for avoiding ill consequences of snoopable
> connections.
> Could you shed any light on what problem this change is intended to
> fix?

The AUTH PLAIN command is not sent if the server did not advertise
support for AUTH PLAIN.  See RFC 2554.  The earlier behavior violated
a SHOULD in RFC 2222 ยง 5.1.

So security-wise, it is not worse than before.

Of course, AUTH PLAIN can only be used securely under a TLS session,
but there are still servers out there that doesn't support TLS.  It is
possible to use AUTH PLAIN under TLS, but disabling AUTH PLAIN without
TLS is unrealistic.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]