[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Unsolicited CAPABILITY response
If the client and server negotiate a SASL security layer, it is
important for the client to discard its information about server
capabilities and re-issue the CAPABILITY command. Otherwise, an active
attacker could fool the client by inserting or modifying a CAPABILITY
response before authentication completes. For this reason, the STARTTLS
extension in draft-newman-tls-imappop-04.txt explicitly modifies the
don't-change-CAPABILITIES requirement of the base IMAP specification.
--------------------------------------------