You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/08/24 02:10:00 UTC

[jira] [Created] (JAMES-3636) IMAP plainAuthDisallowed should be true by default

Benoit Tellier created JAMES-3636:
-------------------------------------

             Summary: IMAP plainAuthDisallowed should be true by default
                 Key: JAMES-3636
                 URL: https://issues.apache.org/jira/browse/JAMES-3636
             Project: James Server
          Issue Type: Improvement
          Components: IMAPServer
    Affects Versions: 3.6.0
            Reporter: Benoit Tellier
             Fix For: 3.7.0


Encouraging non encrypted login is definitely a bad practice and could lead to session  fixation (where the attacker logs in first then the victim do not realize it's login fails).

We should make the safe 'plainAuthDisallowed' option the default everywhere.





--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org