Don't advertise AUTH=PLAIN in capability if disable_plaintext_auth = yes and

SSL/TLS is not yet negotiated.

--HG--
branch : HEAD

diff --git a/src/imap-login/client-authenticate.c b/src/imap-login/client-authenticate.c
index 405b50504024c3a94fcee4e74c363b0471ce41ef..3f1035ba9b81f88f6464339a7469c55cd2897c23 100644 (file)
--- a/src/imap-login/client-authenticate.c
+++ b/src/imap-login/client-authenticate.c
@@ -19,7 +19,7 @@
 static enum auth_mech auth_mechs = 0;
 static char *auth_mechs_capability = NULL;
 
-const char *client_authenticate_get_capabilities(void)
+const char *client_authenticate_get_capabilities(int tls)
 {
        string_t *str;
        int i;
@@ -34,7 +34,9 @@ const char *client_authenticate_get_capabilities(void)
 
        for (i = 0; i < AUTH_MECH_COUNT; i++) {
                if ((auth_mechs & auth_mech_desc[i].mech) &&
-                   auth_mech_desc[i].name != NULL) {
+                   auth_mech_desc[i].name != NULL &&
+                   (tls || !auth_mech_desc[i].plaintext ||
+                    !disable_plaintext_auth)) {
                        str_append_c(str, ' ');
                        str_append(str, "AUTH=");
                        str_append(str, auth_mech_desc[i].name);

diff --git a/src/imap-login/client-authenticate.h b/src/imap-login/client-authenticate.h
index f9480f55bc7ebcf89389f73d96fb9fa8b1526725..9883c60c437ee344bd9edaceb93ca2b2bf5a1805 100644 (file)
--- a/src/imap-login/client-authenticate.h
+++ b/src/imap-login/client-authenticate.h
@@ -1,7 +1,7 @@
 #ifndef __CLIENT_AUTHENTICATE_H
 #define __CLIENT_AUTHENTICATE_H
 
-const char *client_authenticate_get_capabilities(void);
+const char *client_authenticate_get_capabilities(int tls);
 
 int cmd_login(struct imap_client *client, struct imap_arg *args);
 int cmd_authenticate(struct imap_client *client, struct imap_arg *args);

diff --git a/src/imap-login/client.c b/src/imap-login/client.c
index 02fa27c0385b95de7191ccfb45d8dacad16452bb..889b35a95f5963033a4162989467b820dbd2488a 100644 (file)
--- a/src/imap-login/client.c
+++ b/src/imap-login/client.c
@@ -89,14 +89,13 @@ static int client_skip_line(struct imap_client *client)
 
 static int cmd_capability(struct imap_client *client)
 {
-       const char *capability;
+       const char *capability, *auths;
 
+       auths = client_authenticate_get_capabilities(client->tls);
        capability = t_strconcat("* CAPABILITY " CAPABILITY_STRING,
                                 ssl_initialized ? " STARTTLS" : "",
                                 disable_plaintext_auth && !client->tls ?
-                                " LOGINDISABLED" : "",
-                                client_authenticate_get_capabilities(),
-                                NULL);
+                                " LOGINDISABLED" : "", auths, NULL);
        client_send_line(client, capability);
        client_send_tagline(client, "OK Capability completed.");
        return TRUE;

diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 1220f9245f5c061e77b5762cc80fd6166d390800..ba935c06418a0b36cb2c8cd084072a6566f22776 100644 (file)
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -33,7 +33,9 @@ int cmd_capa(struct pop3_client *client, const char *args __attr_unused__)
                str_append(str, "SASL");
                for (i = 0; i < AUTH_MECH_COUNT; i++) {
                        if ((auth_mechs & auth_mech_desc[i].mech) &&
-                           auth_mech_desc[i].name != NULL) {
+                           auth_mech_desc[i].name != NULL &&
+                           (client->tls || !auth_mech_desc[i].plaintext ||
+                            !disable_plaintext_auth)) {
                                str_append_c(str, ' ');
                                str_append(str, auth_mech_desc[i].name);
                        }