Clients for AUTHINFO access/440 error on post

Jeffrey M. Vinocur jeff at litech.org
Sun Jan 12 03:39:51 UTC 2003


On Sat, 11 Jan 2003, Russ Allbery wrote:

> It's important to *not* return 480 in cases where no authentication is
> possible, since that could trigger the sending of a password over a
> clear-text connection.

*mumble*  Yeah.

(I'm actually very curious what existing clients do if the send AUTHINFO 
USER and don't get 381.  Possibly the only advantage of AUTHINFO USER/PASS 
over unencrypted SASL PLAIN.)


> Other than that, I think you're right; if the group is excluded by rule
> and some authentication is possible, we should return a 480 response.
> (This is probably also true of LIST ACTIVE on a single group, but not LIST
> ACTIVE on multiple groups.)

I'd agree with that, provided we're careful not to expose information as 
to what groups exist on the server.


-- 
Jeffrey M. Vinocur
jeff at litech.org



More information about the inn-workers mailing list