At work I had the pleasure of having to connect to an µ$ Exchange server
via IMAP. A totally trivial thing you'd think? No.
That's because Microsoft sucks big deal and does - again - not
follow standard protocols.
The IMAP server tells us LOGINDISABLED when we initially connect until we STARTTLS, which is completely valid. Then we get a CAPABILITY of AUTH=PLAIN beside some other ones like NTLM and GSSAPI. So what does my mail client, implementing neither NTLM nor GSS, do?
Yes, it tries to AUTHENTICATE PLAIN. What does the server say?
+. Yep. That's all folks.
The most probable explanation is that
there is an activated "disable plain auth" checkbox in the
configuration, which is ignored when generating the capabilities line.
The + is actually allowed. RFC 3501, section 7 defines it as "continuation" response of the server, indicating that he understood the partial command and wants the client to continue.
Thanks to Jim Mulvey for the hint.
1 CAPABILITY IMAP4< * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI LOGINDISABLED STARTTLS IDLE NAMESPACE LITERAL+ IMAP4< 1 OK CAPABILITY completed. IMAP4> 2 STARTTLS IMAP4< 2 OK Begin TLS negotiation now. IMAP4> 3 CAPABILITY IMAP4< * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN IDLE NAMESPACE LITERAL+ IMAP4< 3 OK CAPABILITY completed. IMAP4> 4 AUTHENTICATE PLAIN IMAP4< + IMAP4> 5 LOGOUT IMAP4< 4 NO AUTHENTICATE failed.]]>
Oh Microsoft, you suck. Suck, suck, suck.
AUTH=LOGIN is not listed as capability, but fortunately could be forced in Sylpheed.