Hi list,
I've noticed dovecot pop3 does not request the password with 'AUTH LOGIN' when
nopassword is set.
dovecot-2.2.18
auth_mechanisms = plain login
ssl = required
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = nopassword=yes userdb_uid=vmail userdb_gid=vmail
userdb_home=/var/spool/vmail/%d/%n
override_fields = password=
}
userdb {
driver = prefetch
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%d/%n
}
Although this works perfectly well, skipping the password phase in the SASL
LOGIN mechanism deviates from the draft for this mechanism at
https://tools.ietf.org/html/draft-murchison-sasl-login-00
I know this document is not normative and has not made its way to a standard.
However it does not mention the ability to bypass the password phase.
My questions are:
- Is the dovecot behavior intentional ?
- If not, will you change it (i.e.: to a dummy password request) ?
- Are you aware of another server considering the SASL LOGIN password phase as
optional ?
Please don't tell me to change the config or to use the PLAIN or EXTERNAL
mechanism: the real goal of these questions is to know whether
this deviance should be supported by a client (more precisely cURL) or not.
Thanks in advance for you reply.
Patrick
