Date: Wed, 27 Nov 2002 08:58:38 -0800 (PST) From: Mark Crispin <[EMAIL PROTECTED]> [...] Server implementations which allow unencrypted plaintext logins are now non-compliant; and to make UW imapd be compliant I had to change it so that plaintext logins are not allowed in unencrypted sessions.
The document says nothing of the sort. Specifically, here's the text: Note: a server implementation MUST implement a configuration in which it does NOT permit any plaintext password mechanisms, unless either the STARTTLS command has been negotiated or some other mechanism that protects the session from password snooping has been provided. Server sites SHOULD NOT use any configuration which permits a plaintext password mechanism without such a protection mechanism against password snooping. Client and server implementations SHOULD implement additional [SASL] mechanisms which do not use plaintext passwords, such the GSSAPI mechanism described in [SASL] and/or the [DIGEST-MD5] mechanism. Note that all it says is that you must implement "a configuration". It also allows "some other mechanism that protects the session". It's up to you whether or not a loopback adapter is sufficinet to protect the session. Larry