Date: Wed, 27 Nov 2002 08:58:38 -0800 (PST)
From: Mark Crispin <[EMAIL PROTECTED]>
[...]
Server implementations which allow unencrypted plaintext logins are now
non-compliant; and to make UW imapd be compliant I had to change it so that
plaintext logins are not allowed in unencrypted sessions.
The document says nothing of the sort.
Specifically, here's the text:
Note: a server implementation MUST implement a
configuration in which it does NOT permit any plaintext
password mechanisms, unless either the STARTTLS command
has been negotiated or some other mechanism that
protects the session from password snooping has been
provided. Server sites SHOULD NOT use any configuration
which permits a plaintext password mechanism without
such a protection mechanism against password snooping.
Client and server implementations SHOULD implement
additional [SASL] mechanisms which do not use plaintext
passwords, such the GSSAPI mechanism described in [SASL]
and/or the [DIGEST-MD5] mechanism.
Note that all it says is that you must implement "a configuration". It
also allows "some other mechanism that protects the session". It's up
to you whether or not a loopback adapter is sufficinet to protect the
session.
Larry
