Mostly Randomly. Somewhat based on the order the plugin is loaded. Security requirements of SASL basicly dictate that the client ignore the order they are advertised.
The problem arises (again) with Microsoft Outlook and Outlook Express.
Outlook breaks when "AUTH=NTLM" is not the FIRST method announced! It gives me an error saying "DIGEST-MD5: authentication failed" in Outlook (sure, Microsoft products only handle GSSAPI, NTLM and plaintext).
So, if you don't want to use DIGEST (or whatever), restrict what is advertised with sasl_mech_list.
So I would have to disable all but NTLM to be sure AUTH=NTLM is the first or only "AUTH" visible. No I won't do this for Microsoft users only because of their broken clients.
Users noticed the behaviour because sending mail with SPA/NTLM did work (our mail relays use sasl2 with postfix and there "AUTH NTLM"/"AUTH=NTLM" is surprisingly the first auth announced):
250-AUTH NTLM PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM PLAIN LOGIN DIGEST-MD5 CRAM-MD5
So this worked. My imapd however gives this:
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=DIGEST-MD5 AUTH=NTLM AUTH=CRAM-MD5 ANNOTATEMORE X-NETSCAPE
And Outlook ALWAYS tries to use "DIGEST-MD5" saying it can't do so. What a perfectly dumb and broken client.
I set up a fake imapd (using echo and read) to see how Outlook behaves when parsing "AUTH". When putting "AUTH=NTLM" before DIGEST-MD5, Outlook works. Quite funny. It's just for the record in case anybody experiences the same strange behaviour.
I won't change anything in my installation. Outlook users can still use SSL if they don't want their password exposed.
Thank you for your clarification!
Pascal
