>We were dealing recently with this bug in our environment and since >there is no official statement from authors, I'm CC'ing also author of >this commit [1], who is also author of RFC [2], if I got this right. I >was reading through the RFC and this commit does it exactly according to >specification, but it looks like it is not backward compatible with some >other implementations, namely M$ ActiveDirectory or even >cyrus-sasl-2.1.23. Interoperability is important for us and we can't >leave this change here only because of "it's in RFC". If I see >correctly, most of distributions reverted this commit in their releases >and they are still doing fine. We will probably join them, if there will >not be any other solution to maintain backward compatibility. You know, a reading of the RFC says that if you're requesting a security layer you MUST set the mutual_req_flag flag to TRUE, but it does not say that you MUST set it to false if you are not. So my reading of the code says that it's RFC compliant without this change. And honestly, I cannot really envision a reason why you ever NOT want mutual authentication (I am neutral on the sequence flag, but I cannot see the harm in setting it). --Ken