Mon, 2009-02-23 at 17:11 -0500, Wietse Venema wrote: > Timo Sirainen: > > On Mon, 2009-02-23 at 16:49 -0500, Wietse Venema wrote: > > > > It's basically the same thing as "disable plaintext authentication", > > > > except on a per-user (or per-domain, or per-source-IP-range) basis > > > > rather than globally. There are probably some other use cases that I've > > > > heard before but can't remember right now. > > > > > > The MTA gets the Dovecot mechanism list first, including PLAIN or > > > LOGIN. Then the MTA sends the user's login name and password and > > > the TLS session state, and then Dovecot says no you can't do that. > > > > > > What's the point? > > > > The same server may handle multiple different domains where some require > > that SSL/TLS is enabled for authentication to succeed, while for other > > domains it must be only optional. The server doesn't know if it requires > > SSL/TLS until it knows the SASL username. > > The client has already sent the plaintext. What problem are you > trying to solve by having Dovecot say "no" when it is too late?
It's too late for a few times (until user fixes the client configuration), but not forever (because it won't work until the configuration is fixed). Also with a laptop the initial setup is often done in a relatively safe location such as home or office, while the connections afterwards could be done in all kinds of insecure places.
signature.asc
Description: This is a digitally signed message part
