Arnt,
I agree that AUTHENTICATE offers more flexibility than LOGIN, making it more suitable for modern authentication needs, to an extent making it a better fit for UA. As mail servers increasingly favor API-based authentication and device-specific access, OAuth and Passkeys align well with this trend.
From my experience writing code to send emails from applications, I found that using username and password login with SMTP is becoming increasingly difficult due to stricter security measures enforced by email providers. e.g. Gmail has tightened security measures, making it challenging to rely on traditional username-password authentication. Instead, I had to resort to the Gmail API, which enforces OAuth-based authentication.. Also, mail servers requirement for two-factor authentication (2FA) is driving the transition away from basic login methods. 

Regards,
Dessalegn     

On Tue, Jan 28, 2025 at 10:16 PM Arnt Gulbrandsen via UA-EAI <ua-eai@icann.org> wrote:

Hi,

 

I may be confused, by which I mean that I definitely am confused by hope I’m not TOO confused about this particular part of the world.

 

The LOGIN command allows only ASCII usernames and passwords, but various forms of AUTHENTICATE allow anything and everything, independent of UTF8=ACCEPT. I like AUTHENTICATE much better than LOGIN and see Oauth and/or Passkey as the way forward for UA. (I have opinions about which is best, but in truth I’ll be happy if there’s traction on either. Anything good enough is good enough.)

 

Arnt

 

From: "John R. Levine" <johnl@iecc.com>
Date: Tuesday, 28 January 2025 at 18:23
To: Arnt Gulbrandsen <arnt.gulbrandsen@icann.org>, Dr Ajay Data <ajay@data.in>, "ua-eai@icann.org" <ua-eai@icann.org>
Subject: Re: [UA-EAI] Re: [Ext] Re: Dovecot 2.4 released today

 

On Tue, 28 Jan 2025, Arnt Gulbrandsen wrote:

Dovecot allows practically everything even if you don’t enable UTF8=ACCEPT. From memory there are only two differences:

 

  1.  Dovecot won’t allow a well-behaved MTA such as Exim or Postfix to deliver mail with SMTPUTF8. Postfix has an option to override that, I’m sure there are other ways as well. I doubt that many people enable this option, or one of the other ways.

  2.  If a message arrives From: blå@xn--gr-zia.org, such as you might see if the message is from Exchange, then you may see xn- -gr-zia in the user interface of a mail reader, and a search for grå may or may not find the message. If UTF8=ACCEPT is enabled you should only ever see grå and searching should work reliably.

 

That sounds right.  But the bit about ASCII usernames and passwords is

also true.  I looked at the code which is quite simple.

 

 

Dovecot’s handling of unexpected Unicode is so liberal that some clients protest 😉

 

Arnt

 

From: "John R. Levine" <johnl@iecc.com>

Date: Monday, 27 January 2025 at 18:18

To: Arnt Gulbrandsen <arnt.gulbrandsen@icann.org>, Dr Ajay Data <ajay@data.in>, "ua-eai@icann.org" <ua-eai@icann.org>

Subject: Re: [UA-EAI] Re: [Ext] Re: Dovecot 2.4 released today

 

On Mon, 27 Jan 2025, Arnt Gulbrandsen wrote:

Sorry, I assumed that John’s question was about IMAP clients. I agree that there are more UA-ready mail clients in general, even if I’m a little surprised by that list. Last time I tested the ios app (Apple’s, I assume) it was unable to reply correctly, and since I’m typing this into Outlook, let’s test… nope, can’t add a Unicode address to this message, see screenshot. The previous version could do it, and OWA can too.

 

When I was testing EAI software a while ago, I found almost no IMAP

clients or servers that had the EAI extensions, but it hardly mattered

since they handled EAI messages and UTF-8 folder names using the regular

non-EAI methods.  Dovecot, at least up to 2.3, only allows ASCII user

names and passwords (I looked at the code.)  In 2.4 it should allow them

if your client turns on the extension.  Any idea if it does even if you

don't?

 

Regards,

John Levine, johnl@taugh.com<mailto:johnl@taugh.com>, Primary Perpetrator of "The Internet for Dummies",

 

 

 

Regards,

John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",

 

_______________________________________________
UA-EAI mailing list -- ua-eai@icann.org
To unsubscribe send an email to ua-eai-leave@icann.org
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.