Currently, when choosing an authentication method, Claws Mail uses the first one that the server offers it. Please make it use methods in the following priorities: CRAM-MD5 PLAIN LOGIN.
Just twice curious: - what's the rationale for your list? - and why is it an enhancement over server offered list?
CRAM-MD5 is better than PLAIN and LOGIN because it does not pass the password in plain text, instead using hash comparison. PLAIN is better than LOGIN because it passes the username and password for one SASL interaction, not two, and is also described in the RFC. The server offers a list that its administrator wrote in the configuration. You can write it in any order you like.
I think the original bug description is not correct. The code is in the function smtp_auth here: https://git.claws-mail.org/?p=claws.git;a=blob;f=src/common/smtp.c;h=2460f7e0455e3d1fbc5715bc3669cc3ca99399b2;hb=HEAD#l156 This looks like it is forcing a method that is configured if there is one, and if not then it is using CRAM-MD5, LOGIN, PLAIN in that order. I agree however the order should be changed. PLAIN spares a roundtrip, thus it is faster and more likely to work with a weak internet connection. I am attaching a patch that switches PLAIN and LOGIN, which means if both are available PLAIN will be used. One can argue around the order of CRAM-MD5 vs. the others, but CRAM-MD5 is not widely supported anyway, so I would consider that of minor importance. One may also consider just completely removing LOGIN, as it's never been standardized, it only exists as a 17 year old draft and IANA considers it as obsolete [1]. [1] https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
Created attachment 2063 [details] switch PLAIN and LOGIN authentication mechanisms so the faster and standardized PLAIN is preferred