My understanding is that the IMAP server makes available a set of secure authentication methods, and that the IMAP client choses one or more of these to authenticate to the server. As well, if the client connects via a secure channel, the server will offer additional less secure authentication mechanisms. In addition, the server may accept the `login' command to support clients that have no secure authentication mechanisms.
Why does the server have so much control over these authentication mechanisms? It seems to me that the IMAP client, configured by the user, should be able to chose what level of security is appropriate. Wouldn't it be better if the server offered all authentication mechanisms, regardless of the type of connection? My problem is that I would like our Cyrus server to offer AUTH=PLAIN to make use of the proxy authentication for administrative purposes. Our internal servers are on a fully switched network, with no opportunity for packet sniffing. How can I get the Cyrus IMAP and sieve servers to offer AUTH=PLAIN to clients on the internal network? SSL should not be necessary for this. A related problem that we have is that most IMAP clients will not fall back to the plain text login command when secure authentication methods fail. We use the `auto_transition' setting to create SASL secrets from plain text passwords. Users do not have a SASL secret until after their first plain text authentication. Unfortunately, most IMAP clients determine that our server offers several secure authentication mechanisms, and try only those mechanisms. Users can never complete their first plain text authentication. It seems to me that the IMAP client should, after warning the user, try plain text authentication. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
