IMAP security: Switch plainAuthDisallowed to true by default, demos with SSL turned on.

["btellier@apache.org" <bt...@apache.org>]

Hello all,

I discovered a few days ago the imapserver.xml plainAuthDisallowed
option. It says whether or not the AUTH=PLAIN capability is advertised
before a STARTTLS command. The default value is false. Which means that
it encourage clients to send credential with usecure medium, and might
result in credentials being stolen.

In https://github.com/apache/james-project/pull/613 I propose to switch
this behavior to disabled by default: One must switch SSL / STARTTLS on
by default before being able to authenticate.

This change should be transparent to well configured Email clients, the
biggest impact being people testing James with telnet will encounter
difficulties.

As such I propose to rely on openSSL for our demos.

openssl s_client -connect 127.0.0.1:993 ...

Cheers,

Benoit TELLIER


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org