On Thu, Jan 23, 2014 at 9:05 AM, Phil Pennock <pdp@???> wrote:
>
> This is not usable with CRAM-MD5. CRAM-MD5 requires access to the
> cleartext password. If you use DIGEST-MD5 instead, then you can use a
> stored form which is a particular MD5-transformation of the password,
> but still not the current scheme. If you're going down this path, then
> look to see if the clients support SCRAM auth and how you might store
> multiple hash transforms of the password in your database.
>
> Ideally, SCRAM-SHA-1-PLUS (for channel-binding) else SCRAM-SHA-1.
>
Do you (or anyone) know of a reliable list of MUAs supporting and not
supporting which of these features?
Typically, someone offering authenticated SMTP is more or less forced to
cater for a huge variety. :(
I'm thinking that a viable solution is to have different MUA-facing
servers, with different feature sets and requirements, depending on the MUA.