The proposal is to only use PLAIN with encryption:
i) if TLS is in play, use internal PLAIN if the server supports it, else
ii) fail
Right, but TLS doesn't guarantee you're talking to the right server
(unless you do certificate verification, and we don't AFAIK); it only
guarantees the channel is encrypted; I believe with the current setup
Maybe this isn't a practical concern, since I don't think many other
people care. It occurs to me that I should set SASL_SEC_NOPLAINTEXT
when TLS is not in use.
--Ken
_______________________________________________
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers