Timo Sirainen:
> On Mon, 2009-02-23 at 16:49 -0500, Wietse Venema wrote:
> > > It's basically the same thing as "disable plaintext authentication",
> > > except on a per-user (or per-domain, or per-source-IP-range) basis
> > > rather than globally. There are probably some other use cases that I've
> > > heard before but can't remember right now.
> >
> > The MTA gets the Dovecot mechanism list first, including PLAIN or
> > LOGIN. Then the MTA sends the user's login name and password and
> > the TLS session state, and then Dovecot says no you can't do that.
> >
> > What's the point?
>
> The same server may handle multiple different domains where some require
> that SSL/TLS is enabled for authentication to succeed, while for other
> domains it must be only optional. The server doesn't know if it requires
> SSL/TLS until it knows the SASL username.
The client has already sent the plaintext. What problem are you
trying to solve by having Dovecot say "no" when it is too late?
Wietse
