IMAP with Exchange

At work I had the pleasure of having to connect to an ยต$ Exchange server via IMAP. A totally trivial thing you'd think? No. That's because Microsoft sucks big deal and does - again - not follow standard protocols.

The IMAP server tells us LOGINDISABLED when we initially connect until we STARTTLS, which is completely valid. Then we get a CAPABILITY of AUTH=PLAIN beside some other ones like NTLM and GSSAPI. So what does my mail client, implementing neither NTLM nor GSS, do?

Yes, it tries to AUTHENTICATE PLAIN. What does the server say? +. Yep. That's all folks. The most probable explanation is that there is an activated "disable plain auth" checkbox in the configuration, which is ignored when generating the capabilities line.

Update 2013-06-25

The + is actually allowed. RFC 3501, section 7 defines it as "continuation" response of the server, indicating that he understood the partial command and wants the client to continue.

Thanks to Jim Mulvey for the hint.

 1 CAPABILITY
IMAP4< * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI LOGINDISABLED STARTTLS IDLE NAMESPACE LITERAL+
IMAP4< 1 OK CAPABILITY completed.
IMAP4> 2 STARTTLS
IMAP4< 2 OK Begin TLS negotiation now.
IMAP4> 3 CAPABILITY
IMAP4< * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN IDLE NAMESPACE LITERAL+
IMAP4< 3 OK CAPABILITY completed.
IMAP4> 4 AUTHENTICATE PLAIN
IMAP4< +
IMAP4> 5 LOGOUT
IMAP4< 4 NO AUTHENTICATE failed.]]>

Oh Microsoft, you suck. Suck, suck, suck. You don't suck this time

AUTH=LOGIN is not listed as capability, but fortunately could be forced in Sylpheed.

Written by Christian Weiske.

Comments? Please send an e-mail. Or Reply or Like.