[Imap-protocol] changed capabilities after login

Mark Crispin MRC at CAC.Washington.EDU
Thu Aug 31 17:45:42 PDT 2006 

On Thu, 31 Aug 2006, Brendan Cully wrote:
> Is it kosher for the server to silently drop support for a
> previously-advertised capability?

The short answer is yes.

Longer answer:

Although RFC 3501 doesn't go out and say so directly, a client should 
obtain a new capability list after a successful authentication as well as 
after a successful TLS negotiation.

One reason is that a server may choose, in Not Authenticated state, not to 
disclose capabilities which are only of use in Authenticated state.

For example, prior to authentication UW imapd auto-announces only those 
capabilities which are useful in Not Authenticates state, and after 
authentication auto-announces only those capabilities which are useful in 
Authenticated and Selected states.  The only common capabilities in these 
two sets are IMAP4REV1 and LITERAL+.

The untagged CAPABILITY response to a CAPABILITY command always announces 
all capabilities in UW imapd.  Mirapoint, on the other hand, seems to 
suppress inappropriate capabilities.

Another reason is that there may be differential capabilities depending 
upon the userid that authenticated.  Anonymous is an obvious example of a 
userid that may have more limited capabilities than other userids.

I sympathize with the desire to reduce RTTs; that's why I added 
auto-announce when I observed that STARTTLS resulted in three RTTs just 
for CAPABILITY.  With auto-announce, only one CAPABILITY command is needed 
(after the STARTTLS).  However, in the case you mentioned, I don't see how 
it can be avoided; the Mirapoint server doesn't auto-announce.

The Mirapoint server has one strange behavior; it only announces 
LOGIN-REFERRALS after authentication.  Since that's only useful prior to 
authentication, it seems a bit strange.

The Mirapoint server could also avoid the "revoked capability" problem by 
not advertising ACL until after authentication.  However, that would still 
cause a problem for your client if it does not re-issue the CAPABILITY 
command after authentication.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

More information about the Imap-protocol mailing list