On 2/13/2018 7:48 PM, Patrick Monnerat wrote:
> I've recently been facing a special case: a pop3 server (dovecot) with
> a TLS-upgraded connection and client certificate does not require the
> password when the LOGIN authentication mechanism is used, effectively
> behaving as if it was an EXTERNAL authentication.
>
> > AUTH LOGIN
> < + VXNlcm5hbWU6
> > dXNlcg==
> < +OK Logged in.
>
> Obviously the server does not require the password because the client
> certificate authentication takes precedence; the AUTH command is
> however needed before being able to use other commands. This looks
> like a deviance from the description
> (https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has
> been written "a posteriori" (probably by reverse engineering) and has
> not become a standard. This document does not describe the case when
> the password is not needed.

Interesting. If it's EXTERNAL then aren't you already logged in? I'd ask
dovecot team if that's what they intended.

>
> Currently, curl stops with CURLE_LOGIN_DENIED, treating the positive
> response as bad because a continuation is unconditionally expected.
>
> Should we support this ? If yes, the fix is ready.
>
>
> In addition I would set the LOGIN mechanism a lower priority than the
> PLAIN one, as advised in the document mentioned above.
>
> OK for these changes ?

Where is LOGIN prioritized over PLAIN and is there any effect of that on
this issue?

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-14