On Tue, 7 Dec 1999, Mark Morley wrote:
> Just in case it matters, in the archive for the IETF SASL mailing list
> I found a thread (from a few months back) where they talk about exactly
> this. Their feeling is that the SMTP server should only advertise AUTH
> if it is absolutely required of the client, for similar reasons that I
> stumbled upon.
That's useful supporting background. Thanks.
> One thing though. Exim seems to be encoding the server prompt strings
> before sending them to the client. I got the impression from the "spec"
> as well as other messages in the SASL list that the prompts should be
> human-readable (it's not like they contain sensitive data).
There is a proper standard for the general mechanism. RFC 2554. That RFC
says that "challenges" should be encoded. The point is that, in general,
they may contain binary data. Just because they don't for LOGIN doesn't
mean that case should be different.
LOGIN authentication works with Pine, incidentally.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
