Re: AUTH= !*, what to do...

[Sam Roberts]

Bonsoir!

Quoting Alain Magloire <address@hidden>, who wrote:
> > However, I think:
> > 
> > - we should initialize the authority when we create the mailbox and
> >   parse the url, that way we can fail early
> 
> I think my view back then was, "let it through, they may no what
> there are doing".
> 
> For example sometimes (imap)servers are preconfigured(although I've
> never seen an actual case) to let through without authentication
> some clients, it may be base on the IP etc .. it's call PREAUTH.
> 
> So failing early many not be a good choice.
> 
> How about this
> 
> - open the connection
> - Check if authentication is required
>   if server says PREAUTH, let it through.
> - else check the authententication scheme
>   try to create it.
>   if (failed) because can not recognise
>   or instanciate the auth
>    - close connection
>    - return EPERM

I don't like the idea of making a network connection before the mailbox has
been opened, and I don't think it's necessary.

How about, in mailbox_create():

If no auth mechanism is supplied in the URL, create a LOGIN auth mechanism
(the one we currently have, this would be sensible and backwards compatible).

If an AUTH= was supplied in the URL, that's the one the person wants, if we
support it, create it, if we don't, return an error.

Next, in mailbox_open():

We make a network connection, the server responds with (from 3.4 of rfc2060):

(3) BYE -> close the connection
(2) PREAUTH -> move to authenticated state, bypassing any authentication,
    even if the URL had one specified.
(1) OK -> in this case we are supposed to authenticate.

  We have two options:

  a - attempt to use the auth mechanism we created (if it's not supported,
      authentication will fail). If the mailbox is an anonymous mailbox,
      then the auth mechanism auth=anonymous MUST have been specified for
      authentication to work.
  b - issue CAPABILITY, if the server supports auth=anonymous, authenticate
      using it, bypassing "real" authentication. Otherwise, try (a). We
      could see if the auth mechanism we are about to try is supported, but
      I don't see the point.

Future enhancement, have AUTH=* register ALL implemented mechanisms, then try


> > - I want to support AUTH=ANONYMOUS, so I need an anonymous authentication
> >   object, I'll look at this over the weekend.
> > 
> > I mentions this in case anybody has some ideas about how to do this
> > that they haven't had the time to code, now would be the time to
> > mention it!
> 
> Well I do not know what you meant by
> AUTH=pwd

An unsupported an non-existent algorith, created by a combination of
command recall and bad typing! I would contend that being unsupported,
we should fail to connect.

> nor
> AUTH=ANONYMOUS

I committed the rfc specifying this one, the CMU Cyrus mailing list has an
on-line IMAP archive of the mailing list that uses this auth mechanism. It is
supported by mutt, at least, which implements suggestion (b) above,
automatically authenticating with auth rather than trying LOGIN. The CMU imap
server would be a nice imap box to write test scripts against, easily
accessible from anywhere.

> > p.s. I committed some stuff, in case I'm still invisible!
> 
> You are invisible.

Weird.

> p.p.s. : Is it as hot an humid, in Toronto?  I can barely move here.

It was 35 outside my window when I woke up this morning, I've been
moving in slow motion. I was away near Algonquin park on an island
on the lake last weekend, and when I got back I think my metabolism
shut down. I've been living on Mangos!

Sam

-- 
Sam Roberts <address@hidden> (Vivez sans temps mort!)