On Oct 5 Scott Russell wrote: >Previously it was said that only PLAIN and LOGIN mechs are allowed >based on the imapd.conf line: sasl_mech_list: plain login. But if you >look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown >until _after_ the TLS negotiation takes place. To me this indicates >that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL >layer. > >I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I >don't recall but doesn't that exclude PLAIN and LOGIN unless they are >under SSL/TLS? > >It might be interesting to see if timesieved shows a SASL line after >TLS/SSL negotiation is done. Or try setting sasl_minimum_layer: 0 and >see if the SASL line shows up in timesieved prior to TLS/SSL >negotiation.
Bingo! Many thanks. >Just some wild thoughts. I didn't try that earlier because of the following comment: # The minimum SSF that the server will allow a client # to negotiate. A value of 1 requires integrity pro- # tection; any higher value requires some amount of # encryption. I was misled! I think I'd like sasl_minimum_layer to be 0 for localhost and 1 (or maybe higher) for other hosts. Cheers again though, Matt