LOGIN to HISTORY

[Neustradamus]

Dear @duesee,

The 31 August 2006, PLAIN has replaced LOGIN, it is time to remove.

31 August 2006: RFC4616: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism:

• https://datatracker.ietf.org/doc/html/rfc4616

There are now:

• July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
• July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
• November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:

• SCRAM-SHA-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
• SCRAM-SHA3-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

Linked to:

• https://github.com/duesee/imap-codec/issues/404

[duesee]

Hey @Neustradamus! Thank you very much for filing these issues and for the useful resources! I'm not entirely sure how to "resolve" this issue, though.

I think that imap-codec can/should still encode all existing AUTH variants -- even the bad ones. I could feature-gate LOGIN but feel that I don't want to maintain the feature-flag. Removal would be a (breaking) alternative... Not sure we want to do it.

By the way, do you have insights on how widespread LOGIN still is? Recent Internet-Scans, etc.? I heard rumors that some large providers still require LOGIN but could not confirm with some quick tests. As much as I would love to remove it, I feel that it could be a matter of time someone opens a PR asking to support it again :-(

[duesee]

I'll close this as I believe this should be handled by an upper layer. Thanks, @Neustradamus!