james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <...@teamware.com>
Subject Re: [IMAP] Securing IMAP?
Date Thu, 27 Mar 2008 23:03:24 GMT
Robert Burrell Donkin wrote:
> RFC2595 is an additional standard. when privacy mode is on it is
> incompatible with clients written to IMAP4rev1.
> but you're right that it would not be unreasonable to ship with
> RFC2595 privacy mode on

3501 updates some of 2595, see 11.1 STARTTLS.

>>  The 30 minute timer is 'autologout', so if the client has not authenticated,
>>  either with LOGIN or AUTHENICATE, then technically, the client is not logged in,
>>  therefore the 30 minute timer does not apply.
> yes, i agree it's very reasonable to read the specification in this way

:) Some of the problems with IMAP are just because the spec can be interpreted 
in a number of ways.

> thanks - this is in RFC3501 but not in RFC2060. 3501 is much better in
> many ways (but some of the recommendations may break older clients)

2060 is sooooo old, 1996 and even 3501 is 5 years old.  My major gripe with 3501 
is that it mandates STARTTLS but still keps the IMAP conformance at IMAP4rev1, 
so a client does not know if it is connecting to a 2060 server or a broken 3501. 
  We've not had problems with 3501 though - clients would have to be pretty old 
not to work against it.

> i can't find explicit mention in 3501 about the use of BYE in this
> situation but it seems reasonable to me (hopefully someone will set me
> straight if i'm mistaken)

No, it's not clear, but look at 3.4 including the pic page 15.  The pic shows 
the path from "Not Authenticated" state to Logout is documented at step (7) as

          (7) LOGOUT command, server shutdown, or connection closed

3.4 implies that the connection can be unilaterally terminated by the server, as 
long as it sends the BYE before doing so.


To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message