Clients for AUTHINFO access/440 error on post
Jeffrey M. Vinocur
jeff at litech.org
Sun Jan 12 03:39:51 UTC 2003
On Sat, 11 Jan 2003, Russ Allbery wrote:
> It's important to *not* return 480 in cases where no authentication is
> possible, since that could trigger the sending of a password over a
> clear-text connection.
*mumble* Yeah.
(I'm actually very curious what existing clients do if the send AUTHINFO
USER and don't get 381. Possibly the only advantage of AUTHINFO USER/PASS
over unencrypted SASL PLAIN.)
> Other than that, I think you're right; if the group is excluded by rule
> and some authentication is possible, we should return a 480 response.
> (This is probably also true of LIST ACTIVE on a single group, but not LIST
> ACTIVE on multiple groups.)
I'd agree with that, provided we're careful not to expose information as
to what groups exist on the server.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list