57 lines
2.2 KiB
Plaintext
57 lines
2.2 KiB
Plaintext
MBOX-Line: From davidmaxwaterman at fastmail.co.uk Wed Nov 2 20:26:58 2005
|
|
To: imap-protocol@u.washington.edu
|
|
From: Max Waterman <davidmaxwaterman@fastmail.co.uk>
|
|
Date: Fri Jun 8 12:34:36 2018
|
|
Subject: [Imap-protocol] username/password
|
|
In-Reply-To: <Pine.OSX.4.64.0511022009390.533@pangtzu.panda.com>
|
|
References: <436988D9.8040106@fastmail.co.uk>
|
|
<Pine.OSX.4.64.0511022009390.533@pangtzu.panda.com>
|
|
Message-ID: <43699192.2040701@fastmail.co.uk>
|
|
|
|
Thanks for the prompt response and clear explanation.
|
|
|
|
It seems that the options are :
|
|
|
|
1) propose a new RFC to split the username/password, which can then be
|
|
implemented
|
|
2) use a separate servers for secure and insecure users (I suppose a
|
|
second NIC would suffice?)
|
|
|
|
Is that correct?
|
|
|
|
Max.
|
|
|
|
Mark Crispin wrote:
|
|
> Your question is difficult to answer, because it makes an incorrect
|
|
> premise. That premise is that the server "asks" for a password.
|
|
>
|
|
> The server does not "ask" for a password in IMAP; rather, the client
|
|
> chooses to provide one.
|
|
>
|
|
> The server MAY announce that it refuses passwords on a global basis via
|
|
> the LOGINDISABLED capability. Any client which sends a password to a
|
|
> server which has announced LOGINDISABLED is non-compliant with the IMAP
|
|
> specification and should not be used.
|
|
>
|
|
> The standard configuration of UW imapd, in accordance with the IMAP
|
|
> specification (RFC 3501), makes such an announcement on non-SSL/TLS
|
|
> sessions; and in that state will reject any password even if the
|
|
> password is correct. In that state, UW imapd allows other means of
|
|
> authentication that do not involve passwords. If the session negotiates
|
|
> TLS encryption, the UW imapd will retract the LOGINDISABLED announcement
|
|
> and allow password authentication.
|
|
>
|
|
> For other servers, you will need to read the vendor's documentation.
|
|
>
|
|
> When announced, LOGINDISABLED is a global restriction. It is not
|
|
> possible to allow passwords for some users and disallow passwords for
|
|
> other users. This is because the user name and password are sent together.
|
|
>
|
|
> -- Mark --
|
|
>
|
|
> http://panda.com/mrc
|
|
> Democracy is two wolves and a sheep deciding what to eat for lunch.
|
|
> Liberty is a well-armed sheep contesting the vote.
|
|
|
|
|