53 lines
2.4 KiB
Plaintext
53 lines
2.4 KiB
Plaintext
MBOX-Line: From gds at chartertn.net Tue Oct 31 21:35:04 2017
|
|
To: imap-protocol@u.washington.edu
|
|
From: Gene Smith <gds@chartertn.net>
|
|
Date: Fri Jun 8 12:34:55 2018
|
|
Subject: [Imap-protocol] authenticate LOGIN question
|
|
In-Reply-To: <CAByav=hQJDvRjYtTDnU0+B5MfzbpLfhjAvCgxhCvDfjj9jeA3Q@mail.gmail.com>
|
|
References: <38137c2b-f1f1-2bed-e22f-2aea7fa50ac3@chartertn.net>
|
|
<CAByav=gBnVkLg+4z90ewBvKRVtOrEQ7XESfirEQ1dyx=Sb0MXw@mail.gmail.com>
|
|
<8204fbd1-3679-c8cc-7f92-d4307867ece0@chartertn.net>
|
|
<1509483762.929.2.camel@16bits.net>
|
|
<ae75defb-739d-e1e0-69d1-0a21c89efaf1@chartertn.net>
|
|
<CAByav=hQJDvRjYtTDnU0+B5MfzbpLfhjAvCgxhCvDfjj9jeA3Q@mail.gmail.com>
|
|
Message-ID: <ba8ab6ae-7ef4-be62-6411-73f66e7e531b@chartertn.net>
|
|
|
|
On 10/31/17 10:04 PM, Tim Showalter wrote:
|
|
> I haven't worked on the Y! IMAP server in several years at this point,
|
|
> and I can't speak for their current implementation. I know that they
|
|
> have rewritten a lot of it since I left.
|
|
>
|
|
> But it is quite possible that it's simply a bug. I don't know which
|
|
> clients would still support AUTH=LOGIN. I would not advise any client to
|
|
> use AUTH=LOGIN, particularly not if PLAIN is available. LOGIN is not a
|
|
> good mechanism, and is strictly worse than both basic LOGIN and PLAIN.
|
|
> It's just more round trips for what I recall to be a silly protocol.
|
|
>
|
|
> Tim
|
|
|
|
Ok, thanks for the input. It does seem like a bug in that auth LOGIN
|
|
doesn't work for yahoo at all. Also, in thunderbird, it only uses auth
|
|
LOGIN if PLAIN fails for some reason. Then it sends the uid/pwd using
|
|
auth LOGIN (that always fails for yahoo) finally it tries imap login.
|
|
|
|
I also notice an anomaly with yahoo's authenticate PLAIN that maybe you
|
|
can explain. If you give it a bad auth string after the + response it
|
|
tells you the credentials are bad with another + prompt. If I respond
|
|
with a good auth string it still fails. Apparently the 2nd + prompt is
|
|
not really requesting a corrected auth string. If so, what is the 2nd
|
|
prompt for? I have seen no other imap servers doing this double
|
|
prompting when a bad auth string is sent.
|
|
|
|
Here's what happens when tb talks to yahoo (yh) doing auth PLAIN when a
|
|
bad auth string is provided followed by a good one:
|
|
|
|
tb: 1 authenticate PLAIN
|
|
yh: +
|
|
tb: <BAD encoded auth string> <--- changed the 5th char to 'z', was 'd'
|
|
yh: + <encode string saying auth string is bad>
|
|
tb: <GOOD encoded auth string> <--- I returned the 5th char back to 'd'
|
|
yh: 1 NO [AUTHENTICATIONFAILED] AUTHENTICATE Invalid credentials
|
|
|
|
-gene
|
|
|