From: Timo Sirainen (no email)
Date: Mon Feb 23 2009 - 17:40:05 EST
Mon, 2009-02-23 at 17:11 -0500, Wietse Venema wrote:
> Timo Sirainen:
> > On Mon, 2009-02-23 at 16:49 -0500, Wietse Venema wrote:
> > > > It's basically the same thing as "disable plaintext authentication",
> > > > except on a per-user (or per-domain, or per-source-IP-range) basis
> > > > rather than globally. There are probably some other use cases that I've
> > > > heard before but can't remember right now.
> > >
> > > The MTA gets the Dovecot mechanism list first, including PLAIN or
> > > LOGIN. Then the MTA sends the user's login name and password and
> > > the TLS session state, and then Dovecot says no you can't do that.
> > >
> > > What's the point?
> > The same server may handle multiple different domains where some require
> > that SSL/TLS is enabled for authentication to succeed, while for other
> > domains it must be only optional. The server doesn't know if it requires
> > SSL/TLS until it knows the SASL username.
> The client has already sent the plaintext. What problem are you
> trying to solve by having Dovecot say "no" when it is too late?
It's too late for a few times (until user fixes the client
configuration), but not forever (because it won't work until the
configuration is fixed). Also with a laptop the initial setup is often
done in a relatively safe location such as home or office, while the
connections afterwards could be done in all kinds of insecure places.