Hi list, I've noticed dovecot pop3 does not request the password with 'AUTH LOGIN' when nopassword is set.
dovecot-2.2.18 auth_mechanisms = plain login ssl = required auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = nopassword=yes userdb_uid=vmail userdb_gid=vmail userdb_home=/var/spool/vmail/%d/%n override_fields = password= } userdb { driver = prefetch } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%d/%n } Although this works perfectly well, skipping the password phase in the SASL LOGIN mechanism deviates from the draft for this mechanism at https://tools.ietf.org/html/draft-murchison-sasl-login-00 I know this document is not normative and has not made its way to a standard. However it does not mention the ability to bypass the password phase. My questions are: - Is the dovecot behavior intentional ? - If not, will you change it (i.e.: to a dummy password request) ? - Are you aware of another server considering the SASL LOGIN password phase as optional ? Please don't tell me to change the config or to use the PLAIN or EXTERNAL mechanism: the real goal of these questions is to know whether this deviance should be supported by a client (more precisely cURL) or not. Thanks in advance for you reply. Patrick