From: Florian G. Pflug (no email)
Date: Wed Mar 28 2007 - 15:44:39 EDT
Ken Murchison wrote:
> After thinking about bug #2922 some more, and discussing it with Jeff, I
> now agree that it would be nice to have the allowplaintext option
> control both the protocol-specific plaintext login commands (IMAP,
> LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS), and the plaintext SASL
> mechanisms (PLAIN, LOGIN). However there is still one outstanding
> problem, which is that the allowplaintext option is enabled by default,
> meaning that PLAIN w/o TLS would be enabled by default, thus violating a
> MUST [NOT] in RFC 3501, with a side-effect of making me quite ill.
>
> Since sending passwords in the clear sucks, and I would like to think
> that most reasonable admins disable this option anyways, would anyone
> have a major gripe if we change the allowplaintext option to default to
> disabled in the 2.3.9 release? Obviously, we will document this change
> prominently in the release notes.
Sounds perfect to me.
Now that I read my comment to the bug again, it sounds a bit harsh -
I should have written that more politely. I hope I didn't offend
anyone - it was remembering my frustration after hours of debugging my
not-working proxy auth that spoke in that comment :-(
So, thank you *very* *much* for reconsidering your decision, and again
sorry for my tone.
greetings, Florian Pflug
|
|
|