Dear all,

In first, I wish you a Happy New Year 2025!

In the past, I have requested SCRAM support in Dovecot, etc.

I would like to know the situation with -PLUS variants (Channel Binding)?

This feature for more security is always missing.

RFC 9266: Channel Bindings for TLS 1.3:

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

Can you add tls-unique, tls-server-end-point and tls-exporter to be perfect?

Stephan Bosch has started but no news since one year:

• https://github.com/dovecot/core/compare/main...stephanbosch:dovecot-core:sas...

Other links:

SASL2 I-D: Extensible Simple Authentication and Security Layer (SASL):

• https://datatracker.ietf.org/doc/html/draft-melnikov-sasl2

It is in several XEPs too:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Thanks in advance.

Regards,

Neustradamus