Hi list,
I've noticed dovecot pop3 does not request the password with 'AUTH LOGIN' when nopassword is set.
dovecot-2.2.18
auth_mechanisms = plain login ssl = required auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = nopassword=yes userdb_uid=vmail userdb_gid=vmail userdb_home=/var/spool/vmail/%d/%n override_fields = password= } userdb { driver = prefetch } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%d/%n }
Although this works perfectly well, skipping the password phase in the SASL LOGIN mechanism deviates from the draft for this mechanism at https://tools.ietf.org/html/draft-murchison-sasl-login-00
I know this document is not normative and has not made its way to a standard. However it does not mention the ability to bypass the password phase.
My questions are:
- Is the dovecot behavior intentional ?
- If not, will you change it (i.e.: to a dummy password request) ?
- Are you aware of another server considering the SASL LOGIN password phase as optional ?
Please don't tell me to change the config or to use the PLAIN or EXTERNAL mechanism: the real goal of these questions is to know whether this deviance should be supported by a client (more precisely cURL) or not.
Thanks in advance for you reply.
Patrick