Hi list,

I've noticed dovecot pop3 does not request the password with 'AUTH LOGIN' when nopassword is set.

dovecot-2.2.18

auth_mechanisms = plain login ssl = required auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes

passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = nopassword=yes userdb_uid=vmail userdb_gid=vmail userdb_home=/var/spool/vmail/%d/%n override_fields = password= } userdb { driver = prefetch } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%d/%n }

Although this works perfectly well, skipping the password phase in the SASL LOGIN mechanism deviates from the draft for this mechanism at https://tools.ietf.org/html/draft-murchison-sasl-login-00

I know this document is not normative and has not made its way to a standard. However it does not mention the ability to bypass the password phase.

My questions are:

• Is the dovecot behavior intentional ?
• If not, will you change it (i.e.: to a dummy password request) ?
• Are you aware of another server considering the SASL LOGIN password phase as optional ?

Please don't tell me to change the config or to use the PLAIN or EXTERNAL mechanism: the real goal of these questions is to know whether this deviance should be supported by a client (more precisely cURL) or not.

Thanks in advance for you reply.

Patrick