You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/08/24 02:10:00 UTC
[jira] [Created] (JAMES-3636) IMAP plainAuthDisallowed should be
true by default
Benoit Tellier created JAMES-3636:
-------------------------------------
Summary: IMAP plainAuthDisallowed should be true by default
Key: JAMES-3636
URL: https://issues.apache.org/jira/browse/JAMES-3636
Project: James Server
Issue Type: Improvement
Components: IMAPServer
Affects Versions: 3.6.0
Reporter: Benoit Tellier
Fix For: 3.7.0
Encouraging non encrypted login is definitely a bad practice and could lead to session fixation (where the attacker logs in first then the victim do not realize it's login fails).
We should make the safe 'plainAuthDisallowed' option the default everywhere.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org