New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/smtp: PlainAuth forces SSL encrypted connection #5184
Labels
Comments
The argument from Maxim Khitrov on the mailing list was: -------- RFC 4954 requires the client and server to only use PLAIN authentication after establishing TLS. At the same time, it says "Server sites SHOULD NOT use any configuration which permits a plaintext password mechanism without such a protection mechanism against password snooping." I think the proper way to handle this in the client is to check whether the PLAIN authentication mechanism was advertised. In other words, replace the simple "!server.TLS" check at src/pkg/net/smtp/auth.go:56 (go 1.0.3) with something that looks through server.Auth entries. This way, the server decides what is allowed. I do the same thing in my IMAP library, permitting the LOGIN command only when LOGINDISABLED capability is not advertised. ------- |
This issue was closed by revision ca24f9e. Status changed to Fixed. |
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by snoreven45:
The text was updated successfully, but these errors were encountered: