On Thu, 24 May 2001, Henning Brauer wrote:
> That doesn't make sense. AUTH is available without STARTTLS, so no sense in
> hiding it before STARTTLS.
This is just the point. According to the RFC, the service
extensions offered by the server can change after TLS is
initiated. Whether to offer AUTH at all (or any service extension) before
TLS is initiated is up to the server implementation. At least this is the
way I read RFC 2487.
However, upon further reading of the AUTH RFC, it appears returning
a 538 error code would be sufficient for my purposes (as no password data
gets exchanged before the server can return a 538).
> RFC says "the client MUST discard...", not "the merver MUST NOT offer ...
> before STARTTLS".
But it also doesn't say the server MUST (or even SHOULD) offer the same
service extensions before and after a successful STARTTLS. It appears to
be an implementation (or at least a configuration) choice.
Lynn
