5.1 Security Considerations for Implementers

This extension offers no inherent security mechanisms to protect user credentials during authentication. Because of this, it is extremely important to only use this extension when also using a secure communication channel such as Transport Layer Security (TLS), as specified in [RFC4346].

In environments where the use of TLS or other external security is mandated, it is strongly recommended that the AUTH LOGIN advertisement be suppressed until a secure channel is negotiated. TLS in particular exhibits this behavior where the SMTP session is restarted after TLS is negotiated.